----- Original Message ----- 
From: "Ian Grigg" <[EMAIL PROTECTED]>
Sent: Saturday, October 11, 2003 1:22 PM
Subject: Re: NCipher Takes Hardware Security To Network Level

> Is there any reason to believe that people who
> know nothing about security can actually evaluate
> questions about security?

Actually, there are reasons to believe that they won't be able to, just as I
would not be qualified to evaluate the functionality of a sewage pump
(except from the perspective of "it seems to work").

> And, independant assessors are generally subvertable
> by special interests (mostly, the large incumbents
> encourage independant assessors to raise barriers
> to keep out low cost providers).  Hence, Peter's
> points.  This is a very normal economic pattern, in
> fact, it is the expected result.

I take the counter view, assuming that a independent assessor can be found
that is truly independent, that assessor helps the small companies _more_
than the larger ones. To make a pointed example I will use a current
situation (which I am active in).

Trust Laboratories is a software assurance firm, whose first service is the
assurance of PKCS #11 modules. From the marketting perspective the large
incumbents (e.g. nCipher which started this conversation) have little
incentive to seek such assurances, they already have a solid lock on the
market, and the brand recognition to keep it that way. The small companies
though have a much stronger incentive, with an assurance they can hint and
in some cases maybe even outright claim technological superiority over the
encumbents, giving them a strong road into the market. The only purpose the
encumbents have for such assurances is combatting the small companies
assurances (not that I wouldn't love to have nCipher as a customer, I think
it would lend a great deal of credibility to the assurance, as well as
solidifying their marketshare against the under-developed technologies).

> So, right now, I'd say the answer to that question
> is that there is no way for someone who knows nothing
> about security to objectively evaluate a security
> product.

That will likely always be the case. In order to judge what level of
security is required they simply must have some knowledge of security.
Otherwise it is very much like asking John Smith what Ian Grigg's favorite
food is, (a typical) John Smith simply does not have the knowledge to give a
useful answer.

Trust Laboratories
Changing Software Development

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to