From: Adam Shostack <adam@bwh.harvard.edu>
Date: Mon, 12 Dec 94 16:14:20 PST
To: kipp@warp.mcom.com (Kipp E.B. Hickman)
Subject: Re: Clarification of my remarks about Netscape
In-Reply-To: <9412121532.ZM17644@warp.mcom.com>
Message-ID: <199412130014.TAA21734@bwnmr5.bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain


Kipp E.B. Hickman writes:

| I'm listening! What is wrong with SSL? What defects does it have in the way
| that it tries to solve privacy and authentication? What should we do to make
| the next version better?

	The first thing you need to do is define a threat model.  Make
explicit your assumptions.  What needs to be trusted, and when?  Who
are your threats?  What are your assets, and what are they worth?

	Next, you should publish the model, and let us rip it into
little shreds.  This is hard on the ego, but good for your threat
model.  No one ever thinks of everything.  Iterate here.  This is
where the time & effort belong.

	Once you have a solid threat model, you should see what
protocols and tools are out there that can be used to defend against
those threats.  I suspect that most of the tools you will find you
need exist.  Some will not.

	Having found what wheels don't need to be invented, you need to
code your solutions.  Then you need to publish that code to allow the
security community to decide whether or not to trust it.


Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
						       -Hume