Anne & Lynn Wheeler wrote:
issues did start showing up in the mid-90s in the corporate world ...
there were a large number of former gov. employees starting to show up
in different corporate security-related positions (apparently after
being turfed from the gov). their interests appeared to possibly reflect
what they may have been doing prior to leaving the gov.
one of the issues is that corporate/commercial world has had much more
orientation towards prevention of wrong doing. govs. have tended to be
much more preoccupied with evidence and prosecution of wrong doing. the
influx of former gov. employees into the corporate world in the 2nd half
of the 90s, tended to shift some of the attention from activities
related to prevention to activities related to evidence and prosecution
(including evesdropping).
for lots of drift ... one of the features of the work on x9.59 from the
mid-90s
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959
was its recognition that insiders had always been a major factor in the
majority of financial fraud and security breaches. furthermore that with
various financial functions overloaded for both authentication and
normal day-to-day operations ... that there was no way to practical way
of eliminating all such security breaches with that type of information.
... part of this is my repeated comment on security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61
the x9.59 approach was to eliminate the function overload so that the
same information that was needed for normal day-to-day operation didn't
also carry with it any authentication feature/attribute. the result was
that data breaches could still occur, but no longer enabled the
financial fraud that it once did ... and therefor it didn't really
represent a serious security breach ... aka the countermeasure to
financial fraud associated with the data breaches was to recognize that
it was impossible to totally eliminate them, since the information was
required extensively in day-to-day business processes, so to prevent the
wrong doing, the authentication feature/attribute was removed from the
associated information.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
