RE: A little paranoia for the weekend...

[Paul Robertson <proberts () patriot net>]

On Tue, 29 Jul 2003, Behm, Jeffrey L. wrote:

> > From the other side of the coin:
>
> But if the credential is lost, isn't the data history as well?

Generally, yes, however it's not always the case.  If, for instance, I 
time and trip limit remote access to a resource, then the credential's 
lifetime is limited.  It always concerns me when we look at point 
solutions instead of solving classes of problems- and this is classic- 
from the technologist's standpoint, limiting the credential is most of the 
point.  Very few technologists (and yes, I'm overgeneralizing) deal with 
trade secrets, business secrets, etc.  

I'm a lot like Arkady, my data isn't always all that important, so fixing 
the credential problem makes sense.  But when that solution gets rolled 
out to the general user population, we get a threat and protection 
mismatch.  Like with SSL, we're focusing on the wrong part of the problem- 
moving the encrypted data down to a trusted host (like the cellular phone 
cited) is a good solution, and fixes the issue in a much more effective 
manner (assuming a lot of prerequisites, but hey...)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards