Information Security 101 - the Rules of Thumb
Nicholas Bohm
nbohm at ernest.net
Wed Jun 24 12:19:40 BST 2009
Brian Gladman wrote:
> ----- Original Message ----- From: "Peter Fairbrother"
> <zenadsl6186 at zen.co.uk>
> To: "UK Cryptography Policy Discussion Group"
> <ukcrypto at chiark.greenend.org.uk>
> Sent: Tuesday, June 23, 2009 11:28 PM
>> The best person to control access to a secret is a person who already
>> knows it.
>
> The best peron to control access to a secret is a person who will be
> detrimentally impacted by its compromise (whether they know it or not).
I'm not entirely comfortable with this, because although it states an
important truth about incentives, it takes no account of the fact that
some people may deploy systems that are far more secure than those
available to others.
If I have a secret that has to be kept in a computer, and its revelation
would affect me adversely, is it really best that I keep it in my
computer at home if I can find a reputable third party with no interest
in the secret and with the resources and technical competence to protect
it much better than I could?
A secondary source of discomfort is that just this sort of principle can
be put forward as an argument that I should take unqualified
responsibility for anything signed with my private key, because it's my
job to maintain control over it, being the best person to do so. I know
(or argue) that the one doesn't follow from the other, but the principle
tends to put me on the defensive.
Nicholas
--
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Mobile 07715 419728 (+44 7715 419728)
PGP public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
More information about the ukcrypto
mailing list