On Sun, Aug 18, 2002 at 01:46:09AM -0400, dmolnar wrote: | | | On Sat, 17 Aug 2002, John Kelsey wrote: | | > Also, designing new crypto protocols, or analyzing old ones used in odd | > ways, is mostly useful for companies that are offering some new service on | > the net, or doing some wildly new thing. Many of the obvious new things | | I agree with this as far as "crypto" protocols go. But one thing to keep | in mind is that almost all protocols impact security, whether their | dsigners realize it or not. Especially protocols for file transfer, print | spooling, or reservation of resources. most of these are designed without | people identifying them as "crypto protocols." | | Another thing that makes it worse -- composition of protocols. You can do | an authentication protocol and prove you're "you." Then what? Does that | confer security properties upon following protocols, and if so what? Why does the CEO care? Is it economic to answer these questions? Do these questions terminate or go on forever? Do good security experts ever say "its secure?" Or do we keep finding new and better holes that require more engineering work to fix? As Eric used to say, all security is economics. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume