>>> Ian Grigg <[EMAIL PROTECTED]> 12/20/2003 12:15:51 PM >>>
>One of the (many) reasons that PKI failed is >that businesses simply don't outsource trust. Of course they do. Examples: D&B and other credit reporting agencies. SEC for fair reporting of financial results. International Banking Letters of Credit when no shared root of trust exists. Errors and Ommissions Professional Liability insurance for consultants you don't know. Workman's Compensation insurance for independent contractors you don't know. The point is that the "real world" has monitized risk. But the crytpo-elite have concentrated too hard on eliminating environmental factors from proofs of correctness of algorithms, protocols, and most importantly, business processes. Crypto is not business-critical. It's the processes its supposed to be protecting that are, and those are the ones that are insured. Legal and regulatory frameworks define how and where liability can be assigned, and that allows insurance companies to factor in stop-loss estimates for their exposure. Without that, everything is a crap shoot. Watching how regulation is evolving right now, we may not see explicit liability assignments to software vendors for their vulnerabilities, whether for operating systems or for S/MIME email clients. Those are all far too limited in what they could offer, anyway. What's happening, instead, is that consumers of those products are themselves facing regulatory pressure to assure their customers and regulators that they're providing adequate systematic security through technology as well as business policies, procedures and (ultimately) controls (ie, auditable tests for control failures and adequacy). When customers can no longer say "gee, we collected all this information, and who knew our web server wouldn't keep it from being published on the NYTimes classified pages?", then vendors will be compelled to deliver pieces of the solution that allow THE CUSTOMER (product consumer) to secure their environments. Get ready. Trusted Third Party evaluations, like FIPS 140 is for Crypto, will be the thing insurance companies look to for guidance in factoring their risk exposure when asked to provide warranty coverage to businesses using technology - just like they did to Underwriters Laboratories for electrical appliances, just like they do to D&B for commercial credit processing, just like they do to MasterCard and VISA for consumer credit processing. And before you say "well, that doesn't apply to internal company security", ask yourself how many companies outsource physical security to Brinks or some other security-guard employeement agency. They can do that, too, because of other insurance (personal bonds) that help them lay off the exposure to misplaced trust. Trust is heavily outsourced. Only the very large or very foolish think they can "go it alone". And the very large generally have governments in their pockets to help provide the stop-loss limits for their exposure. No? Ed --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]