[145470] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI
daemon@ATHENA.MIT.EDU (Paul Tiemann)
Wed Jul 28 12:39:03 2010
From: Paul Tiemann <paul.tiemann.usenet@gmail.com>
In-Reply-To: <20100728045809.E491B33D6F@absinthe.tinho.net>
Date: Wed, 28 Jul 2010 10:27:52 -0600
Cc: cryptography@metzdowd.com
To: dan@geer.org
On Jul 27, 2010, at 10:58 PM, dan@geer.org wrote:
>=20
>>=20
>> Wow, I was just going to recommend Dan's book, "Security Metrics."
>>=20
>=20
> It is actually Andy Jaquith's book, I only wrote the intro.
Ouch, I'm sorry for the mistake! (I knew I remembered your name in =
connection with the book, but it's on my bookshelf in the office and I =
was at home.)
> In the meantime, though, couple of years ago I did a tutorial
> on security metrics which you may find useful
>=20
> http://geer.tinho.net/measuringsecurity.tutorial.pdf
Thanks, my favorite so far is page 45 with the table on Risk Management =
Culture. I need to tape that to the wall for inspiration.
Pathologic: Don't want to know
Bureaucratic: May not find out
Generative: Actively seek
Pathologic: Failures punished
Bureaucratic: Local repairs only
Generative: Failures beget reforms
=46rom my point of view: The security community is being Generative =
(Actively seek) about finding the flaws in systems, but it's too often =
in the Pathologic (Failures punished) stage about how to handle those =
flaws once they're discovered.
My suspicion: It's fun to Actively seek, and hard to find solutions, and =
it can be downright frustrating to champion reforms. If the =
vulnerability isn't gigantic, it's hard to even get people to listen. =
Reform is maybe 20x harder and 1/5th as fun as poking the holes.
That said, here's an experience worth talking about: Dan Kaminsky did a =
pretty good job of being Generative in _both_ categories. He found a =
hole in DNS, and then worked with LOTS of vendors and even with people =
not directly tied to DNS to collaborate on reforms. He even called me =
(at a smaller CA) to make sure we were aware of the risks and to verify =
that we don't only rely on automated forms of verification. I really =
appreciated the call--it felt like my chance to talk to a rock star.
All the best,
Paul Tiemann=20
(DigiCert)=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
