On Jan 31, 2008, at 10:32 PM, Richard Salz wrote:
Developers working in almost any field should know the history and best practices -- is PGP's original "bass o matic" any more important than the code in a defibrillator? -- but this is not the way our field works right
now.  Compare it to something like civil engineering or architecture.

I think this misses the point. Security is different.

In 2008, I can learn to build pretty good suspension bridges by learning the state of the art of bridge-building. After that, as long as I live, I run almost no risk of Newtonian mechanics being shown to be wrong for any value of wrong that would make me go "well, wow, I no longer understand how to build bridges".

In other words, people who build bridges these days can give you a convincing presentation, based on solid physics and a highly-complete threat model (soil erosion, material failure, etc) that their bridge will do its job. They can say "this bridge will work because it satisfies well-understood and reasonably immutable laws of nature".

People who attempt to build secure systems have no ultimately well- understood (let alone immutable!) requirements to design against. A good approximation is "a secure system is one that survives all relevant attacks that people in our field have come up with thus far", but it's clear that a system successfully meeting that goal can simply cease to meet it any given day. Thus unlike with bridges, you fundamentally can't evaluate the quality of a security system you built if you're unfamiliar with the state of the art of _attacks_ against security systems, and you can't become familiar with those unless you realize that these attacks have each brought down a system previously considered impregnable. And if by the time you've gone through dozens of broken systems and their corresponding attacks you still think you're smart enough to write a new system by yourself, you're either very brave or very daft.

Neither of those mean you're a bad person, but both mean you shouldn't be designing security systems.

Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to