ianG wrote:
[Hushmail design] isn't
perfect but it was a whole lot better than futzing around with OpenPGP
keys and manual decrypting. And it was the latter 'risk' view that won,
Hushmail filled that niche between the hard core pgp community, and the
people who did business and needed an easy tool.
Don't be suspicious, be curious -- this is where security is at.
Human rights reporters already put their life on the line. Your mission
is not to protect their life absolutely,
One design aspect seems missing from the high-level discussion: how do
you define the security mechanism failure mode? You have basically two
options: connect with an insecure protocol, or do not connect at all.
If it's a life-preserving application, this question should be addressed
explicitly. A "fail safe" system may be either way, but stakeholders
should know which way. Airplane pilots are trained according to the
failure mode of each aircraft subsystem. E.g. if two-way radio fails,
the pilot may remain confident (from an indication on the cockpit) that
the air traffic controller (ATC) still sees the aircraft identifier on
the radar (see Wikipedia entry for transponder) during the emergency
landing. Thus the decision to land at the major airport (instead of a
secondary airport with less traffic in conflict but lower grade
facilities) is taken based on the "fail-safe" property of the
aircraft-to-ATC communications subsystem.
Regards,
--
- Thierry Moreau
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
