[16017] in cryptography@c2.net mail archive
titles
daemon@ATHENA.MIT.EDU (Ian Grigg)
Thu Aug 26 20:17:52 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 27 Aug 2004 00:34:54 +0100
From: Ian Grigg <iang@systemics.com>
To: "Trei, Peter" <ptrei@rsasecurity.com>
Cc: cryptography@metzdowd.com, dahonig@cox.net
In-Reply-To: <017630AA6DF2DF4EBC1DD4454F8EE297161734@rsana-ex-hq1.NA.RSA.NET>
Trei, Peter wrote:
> [Disclaimer: I've never claimed to be a mathematician, nor even a
> cryptographer:my business card says 'cryptoengineer'. I've always
> tried more to understand how to properly use cryptographic
> primitives than to understand the deep theory of their construction.
> I go to people who know the theory when I have a question,
> and they come to me when they need something designed and
> built correctly and well.]
Right. This approach - to which I also subscribe - lays
claim to the term "engineer." So, technically, cryptoengineer
makes a lot of sense.
Where the emphasis is on programming up primitives, and also
participating on lower level software engineering issues, I've
also seen the term "cryptoplumber" used.
Where the emphasis is on applications, and slotting in the
crypto where it helps, the term "financial cryptographer"
has been used. This was coined by Bob Hettinga, who has a
bottom-up view of it, meaning crypto heavy. I prefer to
think of it as top-down, meaning application heavy.
David Honig wrote:
> "Security Engineer", according to Schneier...
I don't like that term for 3 reasons: firstly, when we
build stuff, security should be top-to-bottom, integrated
in, and not seen as an add-on, an after-thought. That
is, the overall engineer should build in the security as
required from the beginning, so it is a skill that all
need, and not something thrown over the wall to the guy
with "security" in his title.
Secondly, anything to do with security has a very strong
hype-to-value ratio, so much so that it's quite hard to
find a "security" company selling good security stuff.
Thirdly, good security engineering, as it should be done,
doesn't necessarily involve crypto. The art is in using
as little crypto as possible - in precise and well placed
doses. IMHO. Oftentimes, however, security engineers
start from the pov that crypto is a hammer, and their
job is to go find a nail to encrypt.
(These reasons my be related ...)
All, IMHO!
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
