On Wed, 9 Oct 2002, Joseph Ashwood wrote:

>Unfortunately, SecurID hasn't been that way for a while. RSA has offered
>executables for various operating systems for some time now. I agree it
>destroys what there was of the security, and reduces it to basically the
>level of username/password, albeit at a more expensive price. But I'm sure
>it was a move to improve their bottom line.

Good grief.

This is an old, old story by now, and it's starting to really
piss me off. It seems like every last attempt to implement
security of any kind in a commercial product gets compromised
for the sake of convenience/marketability, etc.

A system that is *actually* secure is inconvenient, or requires
mental effort to manage keys, or offline key storage, or won't
interact transparently with known insecure programs, or some
other basic fundamental constraint they're not willing to live
with -- so they take a component (RSA in this case) that could
have been used to build a secure system, use its presence as a
point to *claim* that that's what they're building, and build
something else.

It's irresponsible.  It makes *actual* security into a rare,
specialized, and arcane field.  It creates expectations that
you can do insecure things with "secure" software.  It gives
users a *FALSE* sense of security and deters them from getting
products that are actually secure.  It uses fraudulent (or, to
be very charitable, perhaps "mistaken") claims of security to
compete unfairly with actual secure software which, of course,
has constraints on its operation.

I think somebody needs to start assigning security grades
based on the theory that it's the weakest link (PRNG with
state value out in the open) rather than the strongest (we
use whizbang patented strong encryption algorithm!) that
determines security. It's basically a matter of consumer
protection, and it's really something that security and crypto
people need to do within the industry.  It has to be within
the industry, because this is stuff that is well outside
a layman's ability to judge.

                                Bear






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to