[145408] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Jul 27 14:23:42 2010
Date: Tue, 27 Jul 2010 14:22:40 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: cryptography@metzdowd.com
In-Reply-To: <20100727181152.GW38765@noncombatant.org>
On Tue, 27 Jul 2010 11:11:52 -0700 Chris Palmer
<chris@noncombatant.org> wrote:
> Sampo Syreeni writes:
>
> > >I am not sure what quantitative measurement of vulnerability
> > >would even mean. What units would said quantity be measured in?
> >
> > I'm not sure either. This is just a gut feeling.
>
> See also:
>
> http://nvd.nist.gov/cvsseq2.htm
That scale seems remarkably arbitrary.
One problem with such arbitrary scales is that there is no objective
methodology one can engage in which will show that the equation is
"wrong" in some way.
Unless you can perform an experiment to falsify the self-declared
"objective quantitative security measurement", it isn't science. I
can't think of an experiment to test whether any of the coefficients
in the displayed calculation is "correct". I don't even know what
"correct" means. This is disturbing.
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
