[193] in WWW Security List Archive
Re: what are realistic threats?
daemon@ATHENA.MIT.EDU (Nick Szabo)
Thu Oct 6 02:41:01 1994
From: szabo@netcom.com (Nick Szabo)
To: dkearns{TCNET/HR/dkearns}@klaven.tci.com
Date: Wed, 5 Oct 1994 16:22:01 -0700 (PDT)
Cc: szabo@netcom.com, www-security@ns1.rutgers.edu
In-Reply-To: <4FD63434816DB8D1@klaven.tci.com> from "dkearns{TCNET/HR/dkearns}@klaven.tci.com" at Oct 5, 94 04:57:00 pm
Reply-To: szabo@netcom.com (Nick Szabo)
Alas, Dave and I are going around in circles. This will hopefully
be the last thing I post on this thread. I'd like to leave a plea
that we all be more specific and critical rather than just throwing
nice-sounding words around.
Dave Kearns:
>No legal liability, no 'money-back' provision, just the assurance
>that a given statement is true, to the best of the guarantor's
>knowledge. Please feel free to use the term CERTIFY if it makes
>you feel better.
In other words, what I said:
> >Any old stranger claiming that he is making a "guarantee"?
This doesn't provide any way to judge the credibility of the
"guarantor", other than simply by invoking more "guarantors".
Furthermore, the truth of the statement is not the only issue
of concern. We also often want to know about its relevance,
completeness, specificity, and utility.
> higher ranking guarantor - where "higher ranking" is a subjective
>judgement on the user's part.
Thank you for being more specific. Normally "heirarchy" in
computer security contexts is used to refer to an objective
heirarchy, such as the Unix user/group structure.
I often find "rank" to be useless in making judgements of
credibility. I'm usually more interested in how well I know
the certifier, what kinds of knowledge does the certifier have
that are relevant to the claim, what incentive does the
certifier have to get it right, etc. Of course by squeezing
hard enough you can call all these "ranks", but they are
at least multidimensional, thus not heiarchical.
> Who defines these "precisely defined" steps?
The folks offering a certification service. Also folks
purporting to design or talk about certification in an objective
fashion, like ourselves. Once precisely defined, there is
something with which to judge the service by; otherwise all we
can do is condemn the service for being too ill defined.
Nick Szabo szabo@bnetcom.com
