[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KeyNote draft available



At 1:10 PM -0800 3/14/98, E. Gerck wrote:
>Bill Frantz writes:
> > At 10:56 AM -0800 3/14/98, E. Gerck wrote:
> > >You recognize of course that this "argument" is seriously deceptive:
> > >if we cooperate with a security flaw because it is inevitable for
> > >set = A and make it the freely avaliable for set = Universe then
> > >unless A = Universe we have effectively reduced the security level.
> >
> > Is it better to deliver systems which claim to enforce things they can not
> > enforce, or to deliver systems that do not make those claims?
> >
> > IMHO, In the former case, people will trust the claims and field insecure
> > systems.  In the latter case, people will understand the limits of
> > technology and include non-technological controls.
> >
>
>
>Bill,
>
>Certificates are machine-readable statements and deal with claims
>which can either be proved or disproved by Turing machines. To that
>precise technical constraint we must add the social use (or, abuse) of
>certificates. However, to claim that the social (ab)use negates the
>usefulness of strong technical barriers in certificates is an
>exaggeration. "Law is no substitute for engineering" applies here also
>and it is a common high-school experience that a cheap $1.00 lock that
>anyone could break affords much more privacy than a "DO NOT OPEN" sign,
>in a locker-room.

Hi Ed,

Of course.  The lock offers an audit trail.  (If the lock is broken, then
someone has broken in.)  It also increases the risk of getting caught in a
way that sharing keys does not.  The basic problem is that the "strong
technical barriers" are so weak that they are bypassed every day.

As a real-world example.  When I first got my Netcom account, their use
policy did not allow account sharing.  I suspect that this policy was
widely ignored.  Their current policies specifically recognize account
sharing, an accommodation to the realities of the world.

I now share access to my Netcom account with my wife.  I do not share
access to accounts I get through my work with her.  However, there are no
technical barriers preventing me from doing so.  The only barriers are
legal and ethical.

>
>For example, X.509v3 uses the critical bit construct for
>several purposes but also in order to achieve delegation control, in a
>meaningful way, which shows that it is not only possible but also
>needed.

One specific question about the X.509v3 critical bit.  How does it prevent
me from giving my smart card and it's access codes to my wife?

>Regarding enforceable or unforceable things, I disagree that such can
>have the absolute measure explict in your statement "systems which
>claim to enforce things". Clearly, "enforcing something"  is not only
>a matter of degree but also depends on the proposition's environment,
>goals, actors, time, etc.

Certainly.  That is precisely my position.  You must include the human
element as part of the environment for any system you design.

Ed.  I look forward to seeing your specific objections to the points made at:
http://crit.org/http://www.caplet.com/security/taxonomy/ through the Crit
system (http://www.crit.org).


-------------------------------------------------------------------------
Bill Frantz       | If hate must be my prison  | Periwinkle -- Consulting
(408)356-8506     | lock, then love must be    | 16345 Englewood Ave.
frantz@netcom.com | the key.     - Phil Ochs   | Los Gatos, CA 95032, USA



Follow-Ups: References: