EKR writes:
> I'm trying to figure out why you want to invent a new authentication
> protocol rather than just going back to the literature ...

there's another rationale my clients often give for
wanting a new security system, instead of the off-
the-shelf standbys:  IPSec, SSL, Kerberos, and the
XML security specs are seen as too heavyweight for
some applications.  the developer doesn't want to
shoehorn these systems' bulk and extra flexibility
into their applications, because most applications
don't need most of the flexibility offered by these

some shops experiment with the idea of using only
part of OpenSSL, but stripping unused stuff out of
each new release of OpenSSL is a maintenance hassle.

note that customers aren't usually dissatisfied with
the crypto protocols per se;  they just want the
protocol's implementation to meet their needs exactly,
without extra baggage of flexibility, configuration
complexity, and bulk.  they want their crypto clothing
to fit well, but what's available off-the-rack is
a choice between frumpy one-size-fits-all, and a
difficult sew-your-own kit, complete with pattern,
fabric, and sewing machine.  so, they often opt for
tailor-made crypto clothing.

my clients' concern (to keep their crypto code as
small and as simple as possible) doesn't justify
their inventing and deploying broken protocols, but
their concern does point out that neither the crypto
industry nor the crypto literature has fully met
these customers' crypto needs.

                                - don davis, boston


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to