Arshad Noor wrote:
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.
This is the reason why we in the OASIS Enterprise Key Management
Infrastructure Technical Committee have made educating IT Auditors
and providing them guidelines on how to audit symmetric key-management
infrastructures, one of the four (4) primary goals of the TC. While
the technology is well understood by most people on this forum, until
we educate the gate-keepers, we have failed in our jobs to secure IT
infrastructure.
Yep. It seems like we've had a bit of this conversation recently,
haven't we? ;-> And it is not just the gatekeepers, but also the
users who need education. We know that we will not have enough
"gatekeepers" to watch all users and uses.
Given this, the real question is, /"Quis custodiet ipsos custodes?"/
(Given as either "Who will watch the watchers themselves?" or "Who
will guard the guardians?" from Juvenal.) Here we have the perfect
examples of the conundrum in No Such Agency or the Company, who
evade oversight or it is so obfuscated that the watchers at the
political level either don't know what is really going on or they
are complicit. Funny how something as off the main track of society
as cryptography still reflects the identical problems of the greater
whole, isn't it?
I also argue that badly structured protocol requirements that
potentially obfuscate what is going on is a serious issue as well.
Then too, there is documentation that does not get down to the bare
metal, so to speak, so that those who are not skilled at reading
code, and its implications, can understand what is going on. The
Romans knew that and mad it law: /Quod non est in actis, non est in
mundo./ ("What is not in the documents does not exist")
All of this requires team thinking so that everyone who is looking
at the issues involved, no matter from what direction, creator,
auditor or end user, gets "it."
Allen
Arshad Noor
StrongAuth, Inc.
Allen wrote:
Hi gang,
All quiet on the cryptography front lately, I see. However, that does
not prevent practices that *appear* like protection but are not even
as strong as wet toilet paper.
I had to order a medical device today and they need a signed
authorization for payment by my insurance carrier. No biggie. So they
ask how I want it set to me and I said via e-mail. Okay. /Then/ they
said it was an encrypted file and I thought, cool. How wrong could I be?
Very. The (I hate to use this term for something so pathetic) password
for the file is 6 (yes, six) numeric characters!
My 6 year old K6-II can crack this in less than one minute as there
are only 1.11*10^6 possible.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
