Michael Ströder wrote:
Ian G wrote:
Michael Ströder wrote:
Anders, that's not the real problem with S/MIME or PGP.
Encrypting/signing is simply not a business requirement.
...
=> Encrypting/signing must be made a business requirement in
contracts. That's the whole point. And there's no technical solution
for it.
That's as close to a perfect dilemma as I've come across!
Yupp.
It's not a business requirement, so we must make it a business
requirement ... What then creates the upstream requirement? If it
doesn't come from business, where does it come from?
You have to teach people to make these requirements part of the
company's security policy which in turn has to be made integral part of
business contracts with external partners.
You can't put something in a company's security policy unless it is a
business requirement first.
(Unless we endorse the absolutist view of security, in which, we have to
fix security holes because we know how to ... rather than whether they
cost money for the business. But that's a firing offense ;)
Technicians cannot solve this by inventing yet another technology.
But it seems that some security people are very busy with PKI bashing
and convincing others that a new technology will solve all the
non-technical problems. That will obviously fail miserably.
It's a mystery!
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto