----- Original Message ----- From: "Ian Grigg" <[EMAIL PROTECTED]>
> * In contrast, someone who knows little about cars, > can objectively evaluate a car. They can take it > for a test drive and see if it feels right. Using > it is proving it. I'm not totally convinced of this... Someone with little knowledge about cars might see the difference between a KIA and a Mercedes in one test drive, but I would think that most affordable cars seem to drive the same in a simple test drive (at least from my experience). But what a person will do is talk to his friends and get feedback, he'll learn that some type of cars have a bad reputation and others seem to be good. This is also done in security, take for example host security modules used by banks, most banks make their choice based on the vendors reputation. Unfortunately this choice is often influenced by publicity (and the more a certain company sells, the more money it makes, the more publicity it can afford, the more it will sell, even if their product is not the best). There is a marketing rule that state that there is one product that dominates its field in every category and gets about 80% of all sells, then there are 1-3 other products that battle for second place, all others get almost nothing. (example for cola Coke is number 1, with Pepsi coming second). I don't think security products make an exception to this. Another way people choose products is if they are recommended. For example, I buy a certain toothpaste because it is recognized by the Canadian dental association. This is a sort of certification. There are certainly other example of products in everyday life that get this type of certification that influence people's choices. Of course, publicity also has some degree of influence here as well. There are no official security associations recognized by the government that include most of the security experts we know, rather what exists is certain standards that the government itself decides upon and are used (FIPS 140, CC). This lack of an independent security association to which any security expert can become a member of is maybe the root of the problem? --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
