[114548] in cryptography@c2.net mail archive
Re: TLS-SRP & TLS-PSK support in browsers (Re: Dutch Transport
daemon@ATHENA.MIT.EDU (Alex Alten)
Sun Feb 3 19:03:17 2008
Date: Sun, 03 Feb 2008 02:26:09 -0800
To: Ian G <iang@systemics.com>
From: Alex Alten <alex@alten.org>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>,cryptography@metzdowd.com,
Frank Siebenlist <franks@mcs.anl.gov>
In-Reply-To: <47A38241.4040600@systemics.com>
At 09:34 PM 2/1/2008 +0100, Ian G wrote:
>* Browser vendors don't employ security people as we know them on this
>mailgroup, they employ cryptoplumbers. Completely different layer. These
>people are mostly good (and often very good) at fixing security bugs. We
>thank them for that! But they are completely at sea when it comes to
>systemic security failings or designing new systems.
An excellent observation Ian!!
I too have run into this mindset at enterprises with inhouse security teams
(mostly in Silicon Valley). They focus on the nuts and bolts like
producing/using cryptographic libaries, fixing security bugs in code or
configuring network appliances to stop intrusions. But it is really hard
to find any of them with decent experience or knowledge at the overall
software/hardware/people system design level. They are often very smart and
educated engineers. I find that there's this "mindless" focus on using
groups of "security" standards, e.g PKI / LDAP / SSL type of combinations,
etc. The DoD contractor firms seem to be a little bit better at
recognizing the system level aspects of security, although they too are
often blinded by the emphasis on "COTS" security products.
- Alex
--
Alex Alten
alex@alten.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
