What do you use PGP/SMIME for?

Nicholas Leippe nick at leippe.com
Fri May 9 17:30:03 MDT 2008

On Friday 09 May 2008, Andrew Jorgensen wrote:
> On Fri, 2008-05-09 at 14:42 -0600, Nicholas Leippe wrote:
> > a) an open doorway
> > b) a door without a lock
> > c) a door with a broken lock
> > d) a door with a lock, but the key is 'hidden' under the mat, which fact
> > is common knowledge
> > e) a door with a lock, and the key is 'hidden' under the mat, which fact
> > is not common knowledge
> > f) a door with a lock
> I was gonna reply.  In fact I did but I just erased it because I
> realized you're arguing about a linear scale vs. a logarithmic scale and
> that's JUST PLAIN DUMB.  I'm not going to participate in another
> big-endian vs little-endian debate.

No, I'm not. I'm saying that there _is no scale_ until you actually have 
security in place. It's a linear scale, shifted to the right--and the 
question is how do we define where to put the y-intercept?

Here's a definition of security from wikipedia, which surprisingly to me, fits 
nearly exactly with what I've had in mind:

"A condition that results from the establishment and maintenance of protective 
measures that ensure a state of inviolability from hostile acts or 

Notice that it requires:
1) protective measures
which are specifically for the purpose of:
2) "ensuring" that no "hostile acts or influences" enter

It says nothing about acts or influences that are not specifically hostile. It 
says nothing about protective measures designed for anything less 
than "ensuring" against hostile acts or influences. So the meandering fool 
that might walk in is of no concern. Furthermore, until there is a protective 
measure that fulfills (2), there is no security of which to even talk about. 
Notice that it also uses the word "ensure"--not just "deter" from trying, but 
to ultimately prevent the possibility of success.

If you want to include the concept of "keeping out meandering fools that have 
no hostile intent" in the bottom of your security scale, I guess that's one 
way of defining security--but I don't think that way.

The open doorway with armed guards was a good point. That most certainly 
counts as a "protective measure". It's not a lock, but it's even more 
effective since lethal force will most definitely ensure against hostile 

So, "how secure" is something? Using the definition above it only regards how 
well it prevents people that do have hostile intent from succeeding.

This is why I say that dvd css, or the door with the key on the outside, are 
absolutely not secure, because anyone with hostile intent can walk right in. 
Regardless of the meandering fools that they might deter, they still do 
nothing to "ensure" that the "hostiles" can't enter.

If you want to simply talk about how well something deters people without any 
hostile intent, I suggest that we're no longer talking about security at all. 
Instead, we're talking about creating inconvenience for the curious. I don't 
have a label for that, but I think that's the distinction that I've been 
trying to make. This "inconvenience" has a scale, but it is not on the same 
chart as the security scale. You could create a chart that is a function of 
both--but the ordinate would not be "security", it would be something else.

More information about the PLUG mailing list