Crypto Test (Re: Free email Crypto)

John R T Brazier prunesquallor at proproco.co.uk
Thu, 5 Aug 1999 22:18:23 +0100 


-----Original Message-----
John R T Brazier wrote:
>
> However, surely it is unreasonable for each end every user to
> become a security expert, so that they may use the technology? On
> this basis, we all would require a three years' engineering degree
> before we buy a car, at least three years' electronics tuition
> before we bought a PC, and so forth. The late twentieth century
> is awash with highly sophisticated technologies that we must take
> on trust because none of us have enough lifetimes to learn it all.

Maybe you are misusing the example a little.

I did not have to learn how to build my motorbike before being allowed
to ride it. I certainly did not have to know how to design one. I did
however need to pass a test to ensure that could operate it safely wrt
myself and other road users and had a sufficient knowledge of the rules
of the road.

As a former voluntary DSA test instructor and a practising voluntary
advanced instructor I can assure you that for some people this is an
insurmountable obstacle.

In situations where cacky handed use of encryption could represent
exposure to risk for the user and/or the correspondent, I would suggest
that we could do with a product/regime that fulfils (at least) three
groups of criteria.

1 - Open and verifiable by those who are able to do that sort of
    thing .. vis construction and use regulations and type approval.

2 - Easy to operate, with a readily learnable interface. Possibly
    even a standardized interface. Ever wondered why motorbikes
    have the pillion seat behind the rider. It is not just blatantly
    obvious, it is in fact part of type approval.

3 - A training/certification scheme that prevents misuse of the
    technology. Vis. DSA driving test and ADI (Association of
    driving instructors) certification.

Yes 3) would be a hassle. I'm sure its a hassle that road haulage
operators need to go through a large number of regulatory hoops in order
to be able to send trucks and drivers out on the roads. Is anybody here
willing to argue against them? :)

There are statutory penalties for failure to comply with the road use
rules. I would (tentatively) suggest that this would not be necessary in
the case of commercial use of encryption. It might however be deemed
usable as a presumption of negligence in the case a dispute though.

Am I totally off beam here ?

Andy M


There are several points here - and we're not so far apart:
(1) Your motorbike is (normally) a product you have confidence in: you are
pretty sure that the companies are reputable, and their products function
(they also conform to standards: as in you point (1)). Most security
products (and, in fact most computer and software products) have yet to meet
the standards of reliability and performance that motorbikes do. So caveat
emptor rules, and when you buy a security product you have to do a
considerable amount of learning before you are capable of making the
decision in an informed way: I believe this is unacceptable.
(2) Your second point is, I believe, spot on. If I am working with or on
behalf of someone and am required to follow their security policies, then I
have every right to expect this requirement not to be onerous. So the
technology used (software and hardware) should be simple to operate. I don't
believe that making the interface harder will make people concentrate on the
security task more: they just have a bigger incentive to either cut corners
or not do it at all.
(3) Training is everything, as you point out. So a company that wishes to
keep its information safe and secure should specify its security policy and
then implement it in a rational way, educating its staff to conform to it.
But a normal commercial company shouldn't have to spend a small fortune
trying to evaluate the different products to decide which one is
appropriate: its should be able to go out and find one to meet its needs, in
the way you buy your motorbike (I am excepting companies with special needs,
such as research agencies and so forth). The company should then be able to
concentrate on making the security product work in its business, and train
its staff to use it effectively.

In the end, it is a matter of perspective. One reason we have road haulage
laws is because of the possible third party damage caused by a badly
maintained or driven truck. You can kill yourself equally quickly in you car
or your kitchen: you take a driving test (third party implications) but you
don't have to take a mandatory Cooking test (yet). I believe security
follows the Cookery model: we don't need statutory certification (although
you can always have voluntary certifications such as BS7799), and
incompetent use will always damage you in the case of a dispute.

Cheers,

John B