----- Original Message ----- From: "Ian Grigg" <[EMAIL PROTECTED]> Sent: Saturday, October 11, 2003 1:22 PM Subject: Re: NCipher Takes Hardware Security To Network Level
> Is there any reason to believe that people who > know nothing about security can actually evaluate > questions about security? Actually, there are reasons to believe that they won't be able to, just as I would not be qualified to evaluate the functionality of a sewage pump (except from the perspective of "it seems to work"). > And, independant assessors are generally subvertable > by special interests (mostly, the large incumbents > encourage independant assessors to raise barriers > to keep out low cost providers). Hence, Peter's > points. This is a very normal economic pattern, in > fact, it is the expected result. I take the counter view, assuming that a independent assessor can be found that is truly independent, that assessor helps the small companies _more_ than the larger ones. To make a pointed example I will use a current situation (which I am active in). Trust Laboratories is a software assurance firm, whose first service is the assurance of PKCS #11 modules. From the marketting perspective the large incumbents (e.g. nCipher which started this conversation) have little incentive to seek such assurances, they already have a solid lock on the market, and the brand recognition to keep it that way. The small companies though have a much stronger incentive, with an assurance they can hint and in some cases maybe even outright claim technological superiority over the encumbents, giving them a strong road into the market. The only purpose the encumbents have for such assurances is combatting the small companies assurances (not that I wouldn't love to have nCipher as a customer, I think it would lend a great deal of credibility to the assurance, as well as solidifying their marketshare against the under-developed technologies). > So, right now, I'd say the answer to that question > is that there is no way for someone who knows nothing > about security to objectively evaluate a security > product. That will likely always be the case. In order to judge what level of security is required they simply must have some knowledge of security. Otherwise it is very much like asking John Smith what Ian Grigg's favorite food is, (a typical) John Smith simply does not have the knowledge to give a useful answer. Joe Trust Laboratories Changing Software Development http://www.trustlaboratories.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]