At 11:20 PM 12/20/2003 -0800, Carl Ellison wrote:
Sorry, Lynn, but I don't buy this.

It's missing replay prevention (freshness)

and it included non-repudiation which is an unachievable, nonsense concept.

If you want to keep the mnemonic, you can change the 4th one to

- Carl

but non-replay would be pretty specific to transactions in flight .... there are probably gobs of additional threats .... if i was looking at data in flight and data at rest ... non-replay wouldn't even apply to all data in flight. non-repudiation could apply to data in flight (whether or not there was a replay attack) as well as data at rest. one possible issue is that you don't necessarily have to apply non-repudiation ... but it can be a significant security issue. One of the issues of asking that every entity have a unique password and nobody shares passwords could be considered a non-repudiation issue. In the case of insider fraud .... being able to tie every action to specific entity helps in post-even analysis of fraud events.

one could look at one aspect of non-repudiation as the requirement for everybody having a unique pin/password with guidelines never to share pin/passwords ... which could be considered across a broad range of security activities. replay might be considered a more specific kind of threat to just transactions. Some number of non-repudiation definitions allow for a lot more feature/function than simply don't share your password .... but a simple conjecture is that whoever originated "pain" might have been thinking of something as that simple.

in any case as mentioned in the previous reply .... doing search engine on
+security +pain +privacy +authentication +integrity +non-repudiation
on at least google and alta vista turns up several hundred references .... even discounting the medical entries where pain isn't an acronym/mnemonic

i just tried the same on google for
+security +pain +privacy +authentication +integrity +non-replay
and got zero hits
Anne & Lynn Wheeler
Internet trivia 20th anv

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to