On Fri, Jun 17, 2005 at 08:21:41AM -0600, Brant Thomsen wrote:
> The exchange below actually reflects what I think is the strongest argument
> against the proposed design change. Successful businesses always prefer
> what works to something new or innovative. With security, that tendency
> should be even stronger, since an architecture can only be considered
> "secure" after it is widely know and many experts have unsuccessfully tried
> to discover weaknesses with it.
>
> I would ask the consultant for a list of other organizations (preferably
> where he/she did not influence the design) that use the proposed model. The
> model used by organizations that require the strongest security, such as
> banking and the military, is the one your organization should adopt if you
> want to convince customers that you provide the same level of security.
> Claiming you have something "better" is an automatic red flag to any
> potential customers with even minimal security experience.
>
The problem is that the consultant is *trying* to recommend a standard
best-practice, but he/she is getting it dreadfully wrong, by confusing
certificates with keys. People often say "certificate" when they mean
"key" (keys are free, but certificates cost money), but in this case
the distinction really matters.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
