OK, but in the interests of mutual group understanding,
lets not call non-chains chains.
So, I must ask the question "When is a chain, not a chain?"
I have never seen a chain that had more than one strand of links.
Tire "chains" are not a chains. They are a set of chains linked
together to wrap around a three dimensional tire, which cannot be
done with a single "chain"?
Do you think that when chains are linked in parallel, with
multiple paths in parallel, which formed some kind of maze, that
somehow this makes it not susceptible to our weakest link problem.
By my logic, putting a strong link in parallel with a weak link,
does nothing to increase the strength of a maze of chains, in terms
of making it harder to break security. there still remains a
weakest path, which uses that path with the weakest link.
So, I suggest we stop messing with such messy use of language and
begin to agree on the meaning of our words. So "What is a chain?"
Until we can decide what is a chain, all discussion about chains
is just a waste of time.
Cheers...\Stef
At 21:35 -0700 6/9/03, Hallam-Baker, Phillip wrote:
That depends how you connect the links.
A serial chain is only as strong as its weakest link.
Metaphor is no substitute for analysis, as stephen jay gould frequently
obsered humans are poor judges of probability
-----Original Message-----
From: Einar Stefferud
Sent: Mon Jun 09 20:38:27 2003
To: Hallam-Baker, Phillip
Cc: ietf(_at_)ietf(_dot_)org
Subject: RE: Certificate / CPS issues
Seems to me that if it is a chain (?) ...
Then it is only as strong as its weakest link, which ever link it might
be...\Stef
At 20:11 -0700 6/9/03, Hallam-Baker, Phillip wrote:
Number of steps is not a determinant of security.
Strength of each step and of the agregate chain is what matters.
Strength comes from discipline and process.
The surest way to create insecurity is to fear everything you cannot
control
-----Original Message-----
From: Christian Huitema
Sent: Mon Jun 09 17:32:51 2003
To: Hallam-Baker, Phillip; ietf(_at_)ietf(_dot_)org
Subject: RE: Certificate / CPS issues
I dispute the lower risk claim. You have more control. More control
does
not mean less risk.
The PKI and the PGP model both have risks, just different risks. The PGP
model only involves the two parties; it brings the risk that the two
parties misidentify each other. The PKI model involves a third party,
supposedly trusted by both players; it brings the risk that the third
party may make mistakes, or that the two parties mistakenly assign too
much trust to a third party. Also, any large centralized service is
bound to become a target for government and other entities.
-- Christian Huitema