Re: Mandatory encryption

On Wed, Jul 18, 2012 at 9:06 AM, Patrick McManus <> wrote:
> On Tue, 2012-07-17 at 23:54 -0700, Mike Belshe wrote:
>> Show me the user that will stand up and say, "Yes, I would like my
>> communications to be snoopable and changeable by 3rd parties without
>> my knowledge."

As has been mentioned before, embedded systems, real time control.

The operators of a nuclear power plant want to have strong
authentication on every connection but they do not want the
communications to be encrypted. That is a very common requirement in
that field.

They don't want any code that is not absolutely necessary.
Confidentiality is a low concern, integrity is a high concern.

I sell crypto for a living. I am also one of the developers of
HTTP/1.0. The people pushing this particular mandate do not understand
either in my view.

Crypto isn't a magic wand that you can wave and get 'security'.
Security is risk management and to do that you have to have an
understanding of the application area.

HTTP was always intended to be used in more than just browsers. It was
intended as a replacement for FTP as well. It was intended as a
transport layer for Web Services (the name is recent, the idea dates
back to my work in 1993, or earlier).


Received on Wednesday, 18 July 2012 13:42:37 UTC