[E-Lang] defense in depth

David Wagner daw@mozart.cs.berkeley.edu
2 Feb 2001 00:56:34 GMT


Tyler Close wrote:
>I contend that this means that it is possible (even easy) in
>practise to reach the perfect defense stage for a specific authority.

If we accept this premise, yes, I agree it would make defense in depth
unnecessary.  However, I remain unconvinced of the premise.

I'm sure you've heard the phrase: "Extraordinary claims require
extraordinary evidence."  I'm not very fond of that saying, to be
honest, but I hope you can see why paranoids like me might be skeptical
about the likelihood of perfection, when security is on the line.

>As an exercise, try justifying the addition of an extra defense to the
>MintMaker.

Ahh, but a paranoid like me will say that you've got it backwards.
Try justifying that the addition of an extra defense _isn't_ necessary! :-)

Note: If we can't be sure of anything either way, it seems to me that
it would be safest and most prudent to assume that it might not be
perfect and hence defense in depth might be useful (even if we don't
know for sure that it will be useful).  The cost of failure is just too
high.