Adam Shostack wrote:
So, that may be the case when you're dealing with an SSL accelerator,
but there are lots of other cases, say, implementing daabase security
rules, or ensuring that non-transactional lookups are logged, which
are harder to argue for, take more time and energy to implement, and
may well entail not implementing customer-visible features to get them
in on budget.
Choicepoint and Lexis Nexis seemingly, had neither.  Nor are they
representational.   We lack good data, and while there are a few
hundred folks who have the experience, chops, and savvy to help their
customers make good decisions, there are tens of thousands of
companies, many of whom choose not to pay rates for that sort of
advice, and hire an MCSE, instead.  People who slap the label "best
practice" on log truncation.

I think that we need to promulgate the idea that Choicepoint is
creating a shift, that it will be ok to talk about breaches, with the
intent of getting better data over time.

we got brought in to work on some word smithing for both the cal. state and the fed. digital signature legislation (we somewhat concentrated on the distinction between digital signature authentication and that human signature implies read, understands, agrees, approves, authorizes, etc .... which isn't present in simple authentication).

one of the industry groups that was active in the effort had done some extensive surveys on driving factors behind various kinds of regulatory and legislative actions. with regard to privacy regulatory/legislative actions ... the two main driving factors were 1) identity theft and 2) effectively institutional (gov, commercial, etc) denial of service.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to