lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2006 11:36:21 -0400 (EDT)
From: "Kenneth F. Belva" <ken@...security.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Security as an Enabler - Virtual Trust: An
 Open Challenge to All InfoSec Professionals

Glenn,

Thanks for your reply. My response:

Most of your argument below does not get to the heart of the issue. It
seems to be an issue of semantics. You do not like the term Virtual Trust.

You write:

>Many of us have argued for at least decades now that more trustworthy
systems and
>more trustworthy evidence for the parties to a transaction not being
fooled about the
>identity of their correspondents enables more kinds of business.

It seems that you already agree with our thesis: authentication and other
security mechanisms enable business.

I might add: if true, it now appears that prior efforts to describe
authentication as a means to enable business have not made much headway.
It does not appear to be common knowledge amongst information security
professionals.

Perhaps you will find some benefit in supporting the current effort to
explain security as a business enabler.

Thank you for your comments.

Ken


>I see no value in suddenly starting to use a term "virtual trust" for
>trust given due to evidence produced over wires as opposed to trust given
>due to evidence produced by other means.
>
>Trust and the validity of evidence to justify it are meaningful. A new
candidate
>buzzword for a concept that has been around for a long time does not.
>
>Many of us have argued for at least decades now that more trustworthy
systems and
>more trustworthy evidence for the parties to a transaction not being
fooled about the
>identity of their correspondents enables more kinds of business. However
I see nothing
>virtual about the trust that is needed. Seems to me it must be real
trust, ultimately
>validated by real evidence or statistics showing it is properly granted,
whether granted
>by a person or an automaton. Whether a human or an automaton evaluates
evidence for
>identity, either must use similar statistics to validate their choices
and either will
>probably perform better given more and more varied evidence. If you build
your authentication
>systems so that available evidence is excluded, shame on you. But this
observation was published
>at least 14 years back, probably further, and depends on there being real
trust, real
>evidence, and real ways to tell (at least statistically) whether it is
being conferred
>justly. I suspect efforts to separate them obscure rather than elucidate.
>
>Glenn Everhart

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists