On Thu, Jan 26, 2012 at 5:10 PM, Chris Palmer <[email protected]> wrote: > On Thu, Jan 26, 2012 at 1:43 PM, David Conrad <[email protected]> wrote: > >> I'm curious: where do you draw the line? Should routing system security be >> included? Email security (since many transactions relating to DNS zone >> administration occur via email)? Telephone? Etc. >> >> Security that looks at 'all possible sources of error' seems to me to be a >> halting state problem > > As security engineers, our role is to (a) reduce the number of > entities we trust; (b) reduce the extent to which we trust the > remaining trusted entities; and (c) determine the trustworthiness of > trusted entities.
Really? I prefer trying to help people manage risk. People have assets that they would like to protect. What matters to them is 1) The cost of protecting those assets (financial and non-financial) 2) The value of those assets (financial, human, etc.) 3) The reduction in risk that is achieved Obviously it is good to be able to measure those things but I am pretty sure that reducing the number of trusted parties is not a goal. A system with fewer trusted parties may have greater risk or less risk than one with more. > This list is about, "We can do better at those three things." That's > hardly saying, "Let's solve the halting problem." > > Having certificates or public keys in the first place are great at > doing (a), when they work. For example, if you know you've got the > right key, you no longer need to trust DNS or BGP or TCP. CAs are an > attempt to do (c). The proposals that this list is to discuss are > further attempts to do (c) — even if, perhaps, the email system is > compromised. > > So, yes, all those things are and should be in scope. > > By contrast, some things are clearly out of scope, such as host > integrity. (Other efforts are working on that problem, and they can > indeed succeed at incremental improvements in (a), (b), and (c) > without exploding to become the halting problem.) Since (1) the four proposals to date all look to me to represent logical extensions of our Anti-Virus product and (2) the CA infrastructure also supports code signing, I think host integrity is quite likely to be relevant. That does not mean we will eventually build something that can be used for host integrity protection, but I am pretty sure that there is a lot of useful experience to tap there. -- Website: http://hallambaker.com/ _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
