[ExI] Verification

[David Lubkin]

Anders wrote:

>There is likely a literature on this in computer security. I would 
>start by looking through what Bruce Schneier writes in his recent 
>book on trust, because this is essentially a trust management issue.

I haven't see it yet but my library has it, and I now have a hold on it.
Thanks.

Anyone know of useful books or web sites on security patterns?
Here are the patterns, here are decent tools or techniques for each
pattern, here's a good approach to teasing out what your problem is
at core. Most of my computer security literature is either too general,
too specific, or too old.

>I think there is no general solution if dealing with the domain of 
>people and human institutions; the best you can do is to define an 
>explicit procedure your company use to determine who gets what (and 
>then you better put some of your most devious friends to game it, to 
>figure out how it can be hacked). Often the solution is to use 
>trusted third parties (banks, government, etc) that makes it costly 
>for A or C to fake things. As long as the cost or hassle is big 
>enough, there will be little abuse.

I think that, rather than one explicit procedure used for all customers,
I should allow the customer to choose the balance between secure
and hassle, based on their assessment of the consequences,
selecting { any, any n, all } of several verification methods. It makes
no sense to have a Medeco lock on a Porta Potty.

Of course, if they choose procedures that are too weak, C might
fraudulently take over B's account and then tighten them so that A
can't get it back....


-- David.