Ian G wrote:
Michael Ströder wrote:
Ian G wrote:
Michael Ströder wrote:
Anders, that's not the real problem with S/MIME or PGP.
Encrypting/signing is simply not a business requirement.
...
=> Encrypting/signing must be made a business requirement in
contracts. That's the whole point. And there's no technical solution
for it.
That's as close to a perfect dilemma as I've come across!
Yupp.
It's not a business requirement, so we must make it a business
requirement ... What then creates the upstream requirement? If it
doesn't come from business, where does it come from?
You have to teach people to make these requirements part of the
company's security policy which in turn has to be made integral part
of business contracts with external partners.
You can't put something in a company's security policy unless it is a
business requirement first.
Reality is much more complex. Sometimes requirements are in a security
policy but not in business contracts. And sometimes the management asks
for e-mail encryption but does not enforce the use of an existing e-mail
encryption infrastructure afterwards.
Or sometimes the technical infrastructure turns out to be pretty buggy
and everybody avoids using it. Fortunately these interop problems are
almost solved today.
(Unless we endorse the absolutist view of security, in which, we have to
fix security holes because we know how to ... rather than whether they
cost money for the business. But that's a firing offense ;)
Well, it's all about risks and how people weigh them. Some security
people know a little more about some risks and technical counter
measures and try to propose them. But it's hard to reach everybody in
the business especially in big companies. And it's hard to convince
people to spend time/budget to mitigate the risks.
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
