best practices

Robert J. Hansen rjh at sixdemonbag.org
Tue Dec 14 19:41:20 CET 2010


On 12/14/10 1:23 PM, David Shaw wrote:
> You sort of need a crystal ball to make that argument though...

To underline and agree with what David said -- the entire field of
communications security requires crystal balls.  It sounds neat and
simple to say, "the weakest part of the system must be stronger than the
adversary's ability to break it," but in reality it's messy and complicated.

The weakest part of the system, in your estimation, may not be the same
as the weakest part in the enemy's estimation.  If you don't know what
your enemy's capabilities are, well, figuring out what the enemy will
consider "weakest" requires a crystal ball.

For that matter, you may not know who your enemies are.  If you're
worried about the FBI eavesdropping on your email, you might be totally
blind to J. Random Sysadmin who gets his jollies from planting
keyloggers on systems.  Just knowing who your enemies are requires a
crystal ball.

You may... etc., etc.  It's an incredibly difficult and Byzantine problem.





More information about the Gnupg-users mailing list