Ian Grigg wrote on Wed, 10 Mar 04, 7:43 PM: > > > > I believe however that - for reasons of software > > engineering practicalities - such efforts have reached > > the point of diminishing returns, and that we should > > instead put more effort into making both the crypto > > library and application software users better equipped > > to use simpler tools with greater proficiency. >
> So, 4. is out. Sorry, SSL guys, it's just too > hard. Then, 3. is easily dispensed with, as > those wunderkinder just don't exist. > > Which leaves 1 or 2: Nothing or somthing really > quick and dirty, and probably only somewhat > secure. > > This is the SSH story. SSH 1 was widely thought > to be pretty loose. What happened? It succeeded, > partly because the author didn't worry overly > about having perfect crypto - he rocked on ahead > with something that was "ok". This seems like a very narrow view of the world. By just about any reasonable metric SSL is hardly a failure compaired to SSH. SSH will not be a wide success outside a few technically competant people because it is not easy to use. The argument that "quick and dirty and we will fix it later" is an extention of the adage "weak security is better than no security". The fact is weak security or quick and dirty security is *worse* then no security in many contexts. Weak security tells attackers "here's something worth attacking" and give users a false sense that "they are secure". People who know that what they have is not secure do not devolge sensitive information in those systems. The cost of learning how to include SSL is no harder than the cost of learning UI API's. You could always start your app with some simple line drawing, and let it develope as people hand draw buttons, etc. The problem is your app will not be able to play in the existing infrastructures. In the long run your app will take more time to develop, have weird bugs, but hey you didn't have to learn how to use the Microsoft Windows system, or Motif widgets, or Mac Interface builders. bob > _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
