On Nov 29, 2011, at 7:44 AM, d...@geer.org wrote: > > Steve/Jon, et al., > > Would you say something about whether you consider key management > as within scope of the phrase "crypto flaw?" There is a fair > amount of snake oil there, or so it seems to me in my line of > work (reading investment proposals and the like) -- things like > secure boot devices that, indeed, are encrypted but which have the > decryption key hidden on the device (security through obscurity). > That's just an example; don't pick on it, per se. But to repeat, > is key management within scope of the phrase crypto flaw? > It's a grey area for my purposes. DRM is out completely; that's something that can't work. I'm looking for situations where (a) it's easy for someone who knows the field to say, "idiots -- if they'd done XXX instead of YYY, there wouldn't be a flaw", and (b) there was a real-world consequence of the failure, and not just someone saying "gotcha!" Leaving out key management entirely, like WEP did, would qualify under (a) but not (b).
--Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography