Re: New version of Passwords in the Clear

John Cowan writes:

> That's part of my point, but not the most significant part, I think.
> My other point (expressed in the blog posting) was that "in the clear"
> and "secure" are endpoints in a security spectrum in which there are
> good reasons for having more than no, and less than total, security.

Yes.  Stated differently, my proposed wording gives us a somewhat more 
concrete definition of what it means to be "in the clear", and thus a 
framework in which to talk about levels of security implementation.

I think you're pointing out that there's a separate but related dimension, 
which is the spectrum of user requirements.  If I understand correctly, 
you're saying "Some users really want very strong protection against 
access by anyone other than the intended recipients of the message.  At 
the far end of the spectrum are users who have essentially no requirement 
for limiting access to their data or applications.  Yet others may fall 
along the spectrum in between:  those in this 3rd category may want to 
erect more modest barriers against access, either because the need for 
protection is correspondingly low, or because the very fact that even 
straightforward "cracking" is required is sufficient to signal socially, 
and perhaps even legally in some cases, that access by unauthorized users 
is not desired. "  Putting even a moderately good lock on my door serves 
as a signal that you're not supposed to come in without the key, right?s

If I've understood you correctly, I think those are good points, and 
complementary to the ones I was trying to make.   Do you have specific 
suggestions for how you'd change the finding?  Thank you.


Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142

Received on Wednesday, 15 November 2006 02:02:23 UTC