If you tell enough stories, perhaps the moral will show up.

2008-11-05

Solving the Wrong Problem (a different one)

Now, listen. Encryption is probably not the solution to your problem. We hear a lot about encryption these days and it seems to be widely imagined as the solution to a problem, or a reason why it's not a problem: "it was encrypted", "we'd better encrypt that". Keep an ear cocked for that sort of thinking, because it is the sounds of someone making a mistake. Encryption doesn't solve any problem, not even access control problems. It replaces access control with a smaller, tougher issue: Key Management. Whether that helps at all depends on the situation. It's late and I'm tired so I'll cut through and state the facts. Encyption only helps when the key management problem can be solved, and the key management problem can only be solved in strict binary situations: When you can cast the problem in terms "everyone in this group gets full access without per-user auditing and no-one else gets anything" then maybe you could try encryption:

  • Access for a single person against the whole world -- keeping personal secrets
  • The same plan for a group small enough to maintain perfect mutual trust. Some of us feel that the maximum size for such a group is one.
  • Shared channel against the world: the VPN and encrypted device
It's Us (or rather Me) and Them. If you have any other problem, don't bother with encryption.

No comments: