Gervase Markham <[EMAIL PROTECTED]> writes: >Ian G wrote: > > I'd say 40 bit is good enough for banking, and 128 bit >> is good enough for banks :-) As the TLS people have now >> added a 256 bit protocol suite, they no doubt think that >> only 256 should be used by banks...
>I think you may have missed my point, which was: a number is still a >number, and the user has to attach meaning to it, and needs teaching to >do so. I assert that this is undesirable. You can see where the magic-numbers problem has lead with the magic number "128". Provided that you mention this magic number somewhere in your marketing literature, your product will be regarded as secure no matter how bad it is in practice. This leads to an association of the number "128" with "is secure", so you see specs that mindlessly parrot a requirement for "128- bit RSA encryption" (I've completely lost count of how many times I've seen that, probably more often than I've seen it used properly) without containing an real security requirements at all. Please, lets not become overly enamoured of such magic numbers. The only way that most of the public can work with them is by remembering that particular magic values are good, so that by extension anything else that wants to be good has to have the magic number. Peter 128 128 128 128 128 128 128 128 128 128. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
