[OLPC Security] Re: Periodic identity updates
Carl-Daniel Hailfinger
c-d.hailfinger.devel.2006 at gmx.net
Sun Feb 25 22:15:48 EST 2007
On 26.02.2007 04:06, Frank Ch. Eigler wrote:
> frumioj at mac.com writes:
>
>> I wasn't suggesting that any unknown universe of negatives be
>> enumerated; rather that /known/ "non-goals" of the specification are
>> noted somewhere explicitly [...]
>
> One problem with explicitly listing some "non-goals" is that they are
> tantamount to assumptions about parts of the overall system. (Say,
> "We don't address possible screwups in domain X." roughly implies "We
> assume that domain X will not screw up".) That in turn provides a
> focal point for an attacker to undermine the system ("Hey, let's try
> to subvert X!"). So, in a way, listing the "non-goals" could be
> self-defeating.
OK, and not listing them is security by obscurity. Pick your poison.
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
More information about the Security
mailing list