RE: ACTION-335 logotypes and ISSUE-96 discussion from Michael Versace on 2007-11-17 (public-wsc-wg@w3.org from November 2007)

From: Michael Versace <michael.versace@fstc.org>
Date: Sat, 17 Nov 2007 07:38:48 -0500
To: "'Dan Schutzer'" <dan.schutzer@fstc.org>, "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, <pbaker@verisign.com>
Cc: "'W3C WSC Public'" <public-wsc-wg@w3.org>
Message-ID: <003501c82916$cdfe3ef0$69fabcd0$@versace@fstc.org>

Remember that you have options when deciding what to do with risk.  You can
either accept it at face value (rarely the right option), you can mitigate
it with technology, people/procedures, and contracts, or you can transfer it
to someone else.   As a risk mitigation tool, most if not all enterprises
view cryptography as a last defense due to the complexity and costs that
accompany it.   A last defense must be 100% effective over some period of
time.  The 100% degrades with time, of course.

 

 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Dan Schutzer
Sent: Saturday, November 17, 2007 7:08 AM
To: 'Mary Ellen Zurko'; pbaker@verisign.com
Cc: 'W3C WSC Public'
Subject: RE: ACTION-335 logotypes and ISSUE-96 discussion

 

Funny I thought crypto was not 100% effective, which is why crypto length
codes and algorithms have to be upgraded from time to time. Its all about
making the processing power necessary to exhaustively search through all
possibilities computationally infeasible with today's computer power. As the
computer power increases, the crypto needs to be stepped up.

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Mary Ellen Zurko
Sent: Friday, November 16, 2007 12:27 PM
To: pbaker@verisign.com
Cc: W3C WSC Public
Subject: RE: ACTION-335 logotypes and ISSUE-96 discussion

 


I will indulge in a rathole, in part, because I do think it represents an
important philosophical category for WSC participants, so that being
explicit about it and airing it will be a good thing long term for
discussions and consensus. 

> The reason that we tend to obsess at 100% is that cryptography 
> allows us to be pretty good at some aspects of technical security. 

I have another view about why 100% is important to some security people.
It's because, in security, anything less than 100% represents the
opportunity for attack. It is a vulnerability. Security people naturally
don't want vulnerabilities,and particularly don't want to be responsible for
any vulnerabilities. Even if the action they take represents, as you put it,
a risk reduction. It can be difficult, both personally and organizationally,
to be proud of and promote the risk reduction, while bearing the
responsibility for some of the subsequent risk. And that's even if you're
lucky enough to be able to articulate the risk reduction clearly. Not that
you've got a hope of being able to actually prove it.

Received on Saturday, 17 November 2007 16:27:50 UTC