Re: OVCML Tek: A Good Solution to XML Tek Insecurity

From: Cameron L. Spitzer <cls_at_truffula_dot_sj_dot_ca_dot_us>
Date: Mon May 02 2005 - 18:14:58 CDT

It's been a long time since I had a copy of _Applied Cryptography_
on my desk, but it seems to me Lesson One is the only thing in a
cryptosystem that it makes sense to hide or make non-interoperable
or different is the password. Maybe it's counterintuitive, but
using a lesser known format doesn't protect you from the most
serious threats *at all.* If anything, it exposes you more
because you're not leveraging the testing that went into
the tools used for the standard formats. That's pretty
much the problem with proprietary encryption. Unusual machine
is just a half step towards secret machine, and those steps
aren't in the direction of improved security or trustworthiness.

I'm not worried about high school skript kiddies hijacking
the election. I'm worried about spooks doing it. Agents of
outlaw governments and corporations, who are the experts in
their field, well paid, with tons of the latest gear. I need such
strong mathematical protection against them that low barriers
like funny formats are irrelevant by comparison, they're
just inconvenient. Let's put our effort into defending
against the real threats, and if we succeed we'll be defeating the
skript kiddies as well, without any extra effort.

Another way to say the same thing: if my link is already
tunneled through SSH2, I don't need an additional simple
substitution cipher. If they can break SSH2 (as far as I know,
they still can't) then they laugh at the extra cipher.
It *doesn't help*.
But the extra cipher slows *me* down. Make sense?


OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Tue May 31 23:17:13 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT