I was fascinated by the article on Whitfield Diffie's expert testimony for New Egg in their trial v TQP
below the Heading A brief history of public-key crypto Whitfield says, in part
- Code: Select all
The problem was vast, Diffie explained—nothing less than how to keep things private in a networked world. He recalled a conversation with his wife in 1973, sitting on a New Jersey park bench. "I told her that we were headed into a world where people would have important, intimate, long-term relationships with people they had never met face to face," he said. "I was worried about privacy in that world, and that's why I was working on cryptography."
i.e. he knew that pen&ink base procedures were not adequate in a network environment. I'm hoping more people will come to realize this but we need to get more people understanding that PGP is not just encryption -- it provides also authentication and integrity:
authentication allows a user to be quite sure that a message he has received is in fact from the person who says they sent it -- where regular e/mail is easily spoofed in this matter
integrity allows a user to be quite sure that a message has not been altered intransit e.g. by some kind of man in the middle scam
and of course encryption provides security allowing a user to be quite sure that a message has not be read by un-authorized person(s).
I'm "preaching to the choir" here of course but I think these are things that we need to move from the esoteric area to the best practice area.
endpoint computer security will be another hot topic. there being two keys to it: (1) make sure that un-authorized software updates are not allowed - either to the O/S or to an application; and (2) restrict what any given application program is allowed to do, e.g. via apparmor or equ.
the subject of supply stream malware is another matter; this will require a zero-defects approach with liabilities for failing to exert due diligence.