lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 28 Sep 2006 10:42:42 -0400
From: <Glenn.Everhart@...se.com>
To: <davek_throwaway@...mail.com>, <full-disclosure@...ts.grok.org.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Security as an Enabler - Virtual Trust:
 AnOpen Challenge to All InfoSec Professionals

I see no value in suddenly starting to use a term "virtual trust" for
trust given due to evidence produced over wires as opposed to trust given
due to evidence produced by other means. 

Trust and the validity of evidence to justify it are meaningful. A new candidate
buzzword for a concept that has been around for a long time does not.

Many of us have argued for at least decades now that more trustworthy systems and
more trustworthy evidence for the parties to a transaction not being fooled about the
identity of their correspondents enables more kinds of business. However I see nothing
virtual about the trust that is needed. Seems to me it must be real trust, ultimately
validated by real evidence or statistics showing it is properly granted, whether granted
by a person or an automaton. Whether a human or an automaton evaluates evidence for
identity, either must use similar statistics to validate their choices and either will
probably perform better given more and more varied evidence. If you build your authentication
systems so that available evidence is excluded, shame on you. But this observation was published
at least 14 years back, probably further, and depends on there being real trust, real
evidence, and real ways to tell (at least statistically) whether it is being conferred
justly. I suspect efforts to separate them obscure rather than elucidate.

Glenn Everhart


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk]On Behalf Of Dave "No,
not that one" Korn
Sent: Thursday, September 28, 2006 9:43 AM
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Security as an Enabler - Virtual Trust:
AnOpen Challenge to All InfoSec Professionals


Kenneth F. Belva wrote:
> I've been defending Virtual Trust as an enabler for the past three
> days on the full-disclosure list. So far, fairly successfully.

  An enabler *of* anything in particular?  Or just some kind of magic 
enabling pixie dust, good for all purposes?

> Here's the challenge: How creative are you *for* VT, *against* VT and
> determining the *impact* of VT?

  What does "being creative *for*" something even mean?

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


**********************************************************************
This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ