Crypto Test (Re: Free email Crypto)

Andrew Meredith meredith at iee.org
Thu, 05 Aug 1999 13:16:53 +0100 

John R T Brazier wrote:
> 
> However, surely it is unreasonable for each end every user to
> become a security expert, so that they may use the technology? On
> this basis, we all would require a three years' engineering degree
> before we buy a car, at least three years' electronics tuition
> before we bought a PC, and so forth. The late twentieth century
> is awash with highly sophisticated technologies that we must take
> on trust because none of us have enough lifetimes to learn it all.

Maybe you are misusing the example a little.

I did not have to learn how to build my motorbike before being allowed
to ride it. I certainly did not have to know how to design one. I did
however need to pass a test to ensure that could operate it safely wrt
myself and other road users and had a sufficient knowledge of the rules
of the road.

As a former voluntary DSA test instructor and a practising voluntary
advanced instructor I can assure you that for some people this is an
insurmountable obstacle.

In situations where cacky handed use of encryption could represent
exposure to risk for the user and/or the correspondent, I would suggest
that we could do with a product/regime that fulfils (at least) three
groups of criteria.

1 - Open and verifiable by those who are able to do that sort of
    thing .. vis construction and use regulations and type approval.

2 - Easy to operate, with a readily learnable interface. Possibly
    even a standardized interface. Ever wondered why motorbikes
    have the pillion seat behind the rider. It is not just blatantly
    obvious, it is in fact part of type approval.

3 - A training/certification scheme that prevents misuse of the
    technology. Vis. DSA driving test and ADI (Association of
    driving instructors) certification.

Yes 3) would be a hassle. I'm sure its a hassle that road haulage
operators need to go through a large number of regulatory hoops in order
to be able to send trucks and drivers out on the roads. Is anybody here
willing to argue against them? :)

There are statutory penalties for failure to comply with the road use
rules. I would (tentatively) suggest that this would not be necessary in
the case of commercial use of encryption. It might however be deemed
usable as a presumption of negligence in the case a dispute though.

Am I totally off beam here ?

Andy M