- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Fri, 16 Nov 2007 12:27:25 -0500
- To: pbaker@verisign.com
- Cc: "W3C WSC Public" <public-wsc-wg@w3.org>
Received on Friday, 16 November 2007 17:27:51 UTC
I will indulge in a rathole, in part, because I do think it represents an important philosophical category for WSC participants, so that being explicit about it and airing it will be a good thing long term for discussions and consensus. > The reason that we tend to obsess at 100% is that cryptography > allows us to be pretty good at some aspects of technical security. I have another view about why 100% is important to some security people. It's because, in security, anything less than 100% represents the opportunity for attack. It is a vulnerability. Security people naturally don't want vulnerabilities,and particularly don't want to be responsible for any vulnerabilities. Even if the action they take represents, as you put it, a risk reduction. It can be difficult, both personally and organizationally, to be proud of and promote the risk reduction, while bearing the responsibility for some of the subsequent risk. And that's even if you're lucky enough to be able to articulate the risk reduction clearly. Not that you've got a hope of being able to actually prove it.
Received on Friday, 16 November 2007 17:27:51 UTC