In message <[EMAIL PROTECTED]>, Ian Grigg writes: > Security architects >will continue to do most of their work with >little or no crypto.
And rightly so, since most security problems have nothing to do with the absence of crypto. > >j. a cryptographic solution for spam and >viruses won't be found.
This ties into the same thing: spam is *unwanted* email, but it's not *unauthorized*. Crypto can help with the latter, but only if you can define who is in the authorized set of senders. That's not feasible for most people.
one of the issues has been that many crypto security solutions have been oriented towards hiding information. that may work with outsiders ... but traditionally, 90percent of fraud has been insiders ... and recent news last friday about study to be published was that interviewing something like 1000 people involved in identity theft cases ... it was determined that at least 70percent had some sort of employee involvement.
in that sense ... the internet and introduction of the possibility of outsider related fraud ... has distracted/obfuscating focus from the real, long standing issues.
my repeated observation that current generation of desktop systems were originally introduced to operate in a standalone environment where applications could be introduced that freely took over the whole machine. attempting to continue to satisfy the standalone ... total take-over requirements at the same time using the same platform for generalized interconnect to an increasingly hostile environment creates some diametrically opposing objectives.
there have been some number of time-sharing systems from the 60s & 70s that were designed from the ground up to handle multiple, concurrent users that potentially had conflicting, competitive, and/or opposing objectives (say multiple users from competing corporations and industrial secrets might be involved). these systems with designed in security from the ground-up have shown to be immune to many of the current day vulnerabilities and exploits. to some extent, there could be valid claims about attempts to use cryptography as bandaids to address fundamentally flawed infrastructures (or at least infrastructures that were specifically designed to not handle many of the existing situations that they have been used for) ... aka lets use bandaids to treat strep infections.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
