... A threat must occur sufficiently in real use, and incur sufficient costs in excess of protecting against it, in order to be included in the threat model on its merits.
I think that is an excellent summation of the history-based approach to threat modeling. There is another approach, however, capability-based threat modeling. What attacks will adversaries whom I reasonably expect to encounter mount once the system I am developing is deployed? Military planners call this the "responsive threat." There are many famous failures of history-based threat modeling: tanks vs. cavalry, bombers vs. battleships, vacuum tubes vs. electromechanical cipher machines, box cutters vs skyscrapers, etc.
In the world of the Internet the time available to put in place counteract new threats once they are publicized appears to be shrinking rapidly. And we are only seeing one class of adversaries: the informal network of hackers. For the most part, they have not tried to maximize the damage they cause. There is another class, hostile governments and terrorists, who have so far not shown their hands but are presumably following developments closely. I don't think we can restrict ourselves to threats already proven in the wild.
Then there is the matter of costs and who pays them. Industry is often willing to absorb small costs, or, better, fob them off onto consumers. Moderate costs can be insured against or written off as "extraordinary expenses." Stockholders are shielded from the full impact of catastrophic costs by the bankruptcy laws and can sometimes even get governments to subsidize such losses.
Perhaps guilds are the right model for cryptography. At their best, guilds preserve knowledge and uphold standards that would otherwise be ignored by market forces. Anyone out there willing to have open heart surgery performed by someone other than a member of the surgeon's guild?
Arnold Reinhold
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
