Jon Callas wrote:
I think it would have been less helpful, however, to do as a different
organization did the previous week over a botched IV. They said that
it wasn't worth fixing and no one needs that anyway and there was a
storm of press over here.
I personally hated the announcement ... BUT ...
It is what we should be doing. I base this remark on
a research line in economics that I've picked up over
the last year, inspired by Adam Shostack's question
of "what is a security signal?" This has led me to
question "what is security?" Between the two of us
and with help from others, we've been gradually
forming an idea about what economics has to say
about all this.
The upshot is that the disclosure of weaknesses is
highly recommended. It turns out, and I think we can
show this in economics terms, that disclosing the
protocol's weaknesses in clear and obvious detail
is a good security signal.
Now, back in the real world, many protocols and
security systems simply don't do that. So I think
there is going to be a period of adjustment, where
those that disclose in glorious and self-flagellating
terms will be leading the others, in many senses.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/