Gervase Markham wrote:
Ian G wrote:
Well, they are generally in a much better position
to make sensible decisions than anyone else is.
I think we've hit one of our fundamental disagreements again :-)
I know :-( I can't help it ;) But consider the
advantages of one of us being wrong: one of us has
the chance to learn something. Where else can we
get that for free?
"when banking, make sure you have 128/1024."
So in two years, time, when the advice changes to 256/2048, they have to
learn a new set of numbers?
Sure. Or, in 2 years time, *you* have to learn another
set of numbers, and *you* have to program it into the
browser, and get it distributed and installed in the
users' machines. And get it right. And not run afoul
of the laws (US: should use 128 or above for banking ...
France: not allowed to use more than 128...) And not
travel to countries where you've been sued for wrong
doing. And .. and ..
It all depends on whether you think you can make a better
choice than the consumer in deciding when enough bits are
enough bits. Right now, given your understanding, you
might be able to make a better choice than say your mum.
Or me. But I challenge you to know better than all the
users, all the time, for all the applications!
That just ain't gonna happen. It's fundamentally the
case that you do not know more than the consumer. You
don't even know what he's using the browser for, it's
only a presumption - and a bad one at that - that it's
being used for banking.
iang
PS: BTW...
There's one easier answer to one part of your suggestion,
this: simply program the Lenstra and Verheul numbers.
This would solve the issue of "how many bits this year."
(As long as L&V don't release a new set of numbers
breaking all previous understandings, in which case
we're back to running the gauntlet of a thousand issues,
rather than 999 issues.)
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
