Harald,
The below is an easy mis-construction to make - from discussion
within the IETF, involving security experts.
What I believe I've actually seen is along the lines of "we don't
want <your favorite security/authentication> because it is likely to be
mis-represented as having resolved security issues it has already been
determined it does not resolve." One case where this has come up, is
in discussions of the use of TCP/MD5 - where the problem is not so much
that anyone "mis-represents" it as almost anybody can use it with little
- or no - work to be done.
There's certainly a degree of legitimacy in the concerns about
possible misrepresentation. If it's "for free" - then it is really
tempting to try to represent it as adequate (unless you're selling a
product that does something better).
From that, it is not hard to see how someone might get the idea
that "ease of use" might be a "problem" with a security/authentication
mechanism. It's certainly easy to see how this would be doubly true in
any "easy to use" solution someone might wish to propose that is already
known to be less than perfect...
--
Eric
--- [SNIP] ---
--> The requirements needed to be "satisfactory" depend very much on your
--> viewpoint; last week I talked to the guy who implemented Freenigma
--> (PGP for web mailers, http://www.freenigma.com), and he commented that
--> "this will never get past the security gurus in the IETF because it's
--> so simple, people might actually use it".
-->
--> That says something frightening about the kind of impression we give
--> to people who work on making usable security. "Usable" needs to be an
--> important component of "satisfactory".
-->
--> (He's quite aware of the obvious security defects of his scheme, btw.
--> It's a tradeoff.)
-->
--> Harald
--- [SNIP] ---
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf