On Fri, Feb 28, 2014 at 3:29 PM, Randy Bush <randy(_at_)psg(_dot_)com> wrote:
Nevertheless, procmail doesn't seem like the right answer.
for some of us it is the best answer we have. there is way too much
real work to do, and the denial of clue attacks are sufficiently
depressing to impinge on one's ability work.
jck once suggested a 2x2 matrix, with clue on one axis and energy on the
other. the real threat is the clueless and energetic. thomas seems to
have a primitive and very rough cut at a metric.
He is wrong. Here is why.
Back in 1994 most of us working on Web Security were designing message
layer security schemes. S-HTTP designed by EKR and Alan Schiffman was
S/MIME in HTTP so was my proposal SHEN.
SSL/1.0 was written by people who had no understanding of security and only
a modest understanding of crypto. The errors were so bad that it lasted
only about 5 minutes on first public demonstration when it was shot down by
Alan Schiffman and myself. And the errors were not subtle or difficult to
see either.
In 1993 you did not do security at the transport layer. Everyone knew that
non-repudiation was an essential capability and that was only possible at
the message layer. Everyone knew that, everyone except Marc Andressen who
was so far out of his depth that he didn't know he was wrong.
Only he wasn't wrong, he was right. And he had a valid argument, that
implementation complexity was the key concern. And even though his grasp of
the theory was weak, Netscape could buy all the expertise it needed. So
they had Taher El Gamal and the brothers Weinstein and Paul Kocher do it
right.
The same effect was at work in the Web. The reason the Web works and
previous attempts to implement Xanadu failed is that the Web has 404 Not
Found. Ted Nelson insisted on Referential integrity and since achieving
that is a byzantine generals problem, the systems never worked.
It takes a lot to get me to dismiss stuff as stupid and it is usually
because it is clever enough to cause real harm. I am on a tear against
BitCoin right now because we have already had one confirmed BitCoin suicide
and one unconfirmed. And that is only due to the (predictable) collapse of
Gox. For many people the collapse of BitCoin is going to cause the collapse
of their entire world view. And that is before we start to wonder if the
disappearance of presumed-Satoshi a few months back is due to foul play. He
is walking around with what purports to be a billion dollars worth of
BitCoin after all.
--
Website: http://hallambaker.com