On 16/11/10 11:38 AM, Jon Callas wrote:
In some places, there's a formal or quasi-formal breakout of who is doing what.
For example, in the UK, they have GCHQ and CESG. Even though they're in the
same buildings, there's an FLA for each, so you can talk about offense vs.
defense.
In the US, the offense and defense portions of the NSA. At least some of the defense
folks in the NSA are called the "IA" (Information Assurance) people, but
there's also NIAP (who primarily deal with Common Criteria etc.) and NIST, who are a
completely different organization, being both civilian and part of Commerce.
Right, the NIAP people and the CC programme is more or less where I'm
heading (I'm certainly not interested in the crypto side).
Do NIAP/CC have the intellectual leadership in this field of infosec
architecture, in the way that we might have once ascribed without
question to NSA for the more mathematical field of cryptography?
We know of course that CC will be essential for selling into (long list
of) security-related government contracts. But is this any more than a
compliance issue? That article I posted:
http://threatpost.com/en_us/blogs/nsa-our-development-methods-are-open-now-111010
suggested that at least at the level of *methodologies* for building
secure systems, the rest of the world can now do as well. Once, the NSA
had unquestioned superiority in the design and creation of secure systems.
Thanks to all for the answers, I'm guessing it is "not any more."
When you talk about the NSA employing mathematicians, they are not IA, NIAP, etc. As Paul has
pointed out, NIST is not the NSA, and calling them an "open partner" is not accurate at
all. If you rush back to DES days, you have a point, but as they say, "that was Zen, this is
Tao."
Right, I was speaking analogously, sorry for not making that abundantly
clear. Although, it looks like NIAP is a partnership between NIST and
NSA's IA area.
Certainly, NIST will respect what the NSA has to say, but the NSA is not the
only player. Not only will other parts of the Intelligence Community freely
disagree with the NSA, but other people like Treasury, DHS, and even NIST
themselves have their own smart people who often don't like anyone dictating to
them. Heck, even in the Army, they often just say that the NSA can have
whatever opinions it wants, but. All of these entities will use their own
deployment expertise to argue what they like and use the very things you said
to fight back. (Well, those *mathematicians* may know what's best in theory,
but let me tell you a thing or two about the real world.) These days, even the
FTC has its own expertise, and quangos like BITS make their own policy as well,
albeit starting from NIAP and NIST.
This suggests that NSA doesn't have that leadership role. And indeed
nobody does.
The whole elliptic curve issue is a place where competing interests are dancing.
Yeah. And just on that question of patents, and so forth. IMHO, anyone
thinking that the patents aren't valid is ignoring the business risk of
the attack. An ethical or "unpatentability" defence is somewhere
between worthless and financial suicide :)
Which makes one wonder how far the NSA is going to get without industry
on its side? Possibly we're waiting for some honest broker to come out
and say which curves, etc are open for business.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
