> It is important to remember what we're trying to defend against. As > many of us have learned through bitter experience, the costs and > benefits of security systems we deploy are the important part. No one > needs perfect security in the face of no attackers at all, and even if > attackers are numerous, if a system has low enough failure/fraud > rates, no one will complain much.
The design goal for any security system is that the number of failures is small but non-zero, i.e., N>0. If the number of failures is zero, there is no way to disambiguate good luck from spending too much. Calibration requires differing outcomes. Regulatory compliance, on the other hand, stipulates N==0 failures and is thus neither calibratable nor cost effective. Whether the cure is worse than the disease is an exercise for the reader. --dan --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com