Andrew Sullivan <ajs@crankycanuck.ca> writes:
> On Fri, Dec 21, 2007 at 12:09:28AM -0500, Merlin Moncure wrote:
>> Maybe a key management solution isn't required.
> I like this idea much better, because the same basic mechanism can be used
> for more than one thing, and it doesn't build in a system that is
> fundamentally weak. Of course, you _can_ build a weak system this way, but
> there's an important difference between building a fundamentally weak system
> and making weak systems possible.
I find myself unconvinced by this argument. The main problem is: how
do we know that it's possible to build a strong system atop this
mechanism? Just leaving it to non-security-savvy users seems to me
to be a great way to guarantee a lot of weak systems in the field.
ISTM our minimum responsibility would be to design and document how
to build a strong protection system using the feature ... and at that
point why not build it in?
I've certainly got no objection to making a mechanism that can be used
for more than one purpose; but not offering a complete security solution
is abdicating our responsibility.
regards, tom lane