What do you use PGP/SMIME for?
nick at leippe.com
Fri May 9 17:30:03 MDT 2008
On Friday 09 May 2008, Andrew Jorgensen wrote:
> On Fri, 2008-05-09 at 14:42 -0600, Nicholas Leippe wrote:
> > a) an open doorway
> > b) a door without a lock
> > c) a door with a broken lock
> > d) a door with a lock, but the key is 'hidden' under the mat, which fact
> > is common knowledge
> > e) a door with a lock, and the key is 'hidden' under the mat, which fact
> > is not common knowledge
> > f) a door with a lock
> I was gonna reply. In fact I did but I just erased it because I
> realized you're arguing about a linear scale vs. a logarithmic scale and
> that's JUST PLAIN DUMB. I'm not going to participate in another
> big-endian vs little-endian debate.
No, I'm not. I'm saying that there _is no scale_ until you actually have
security in place. It's a linear scale, shifted to the right--and the
question is how do we define where to put the y-intercept?
Here's a definition of security from wikipedia, which surprisingly to me, fits
nearly exactly with what I've had in mind:
"A condition that results from the establishment and maintenance of protective
measures that ensure a state of inviolability from hostile acts or
Notice that it requires:
1) protective measures
which are specifically for the purpose of:
2) "ensuring" that no "hostile acts or influences" enter
It says nothing about acts or influences that are not specifically hostile. It
says nothing about protective measures designed for anything less
than "ensuring" against hostile acts or influences. So the meandering fool
that might walk in is of no concern. Furthermore, until there is a protective
measure that fulfills (2), there is no security of which to even talk about.
Notice that it also uses the word "ensure"--not just "deter" from trying, but
to ultimately prevent the possibility of success.
If you want to include the concept of "keeping out meandering fools that have
no hostile intent" in the bottom of your security scale, I guess that's one
way of defining security--but I don't think that way.
The open doorway with armed guards was a good point. That most certainly
counts as a "protective measure". It's not a lock, but it's even more
effective since lethal force will most definitely ensure against hostile
So, "how secure" is something? Using the definition above it only regards how
well it prevents people that do have hostile intent from succeeding.
This is why I say that dvd css, or the door with the key on the outside, are
absolutely not secure, because anyone with hostile intent can walk right in.
Regardless of the meandering fools that they might deter, they still do
nothing to "ensure" that the "hostiles" can't enter.
If you want to simply talk about how well something deters people without any
hostile intent, I suggest that we're no longer talking about security at all.
Instead, we're talking about creating inconvenience for the curious. I don't
have a label for that, but I think that's the distinction that I've been
trying to make. This "inconvenience" has a scale, but it is not on the same
chart as the security scale. You could create a chart that is a function of
both--but the ordinate would not be "security", it would be something else.
More information about the PLUG