- From: Ryan Sleevi <sleevi@google.com>
- Date: Sun, 28 Dec 2014 13:46:57 -0800
- To: Jeffrey Walton <noloader@gmail.com>
- Cc: security-dev <security-dev@chromium.org>, Chris Palmer <palmer@google.com>
Received on Sunday, 28 December 2014 21:47:24 UTC
non-security-dev to BCC. Response inline On Dec 28, 2014 1:37 PM, "Jeffrey Walton" <noloader@gmail.com> wrote: > > On Sun, Dec 28, 2014 at 4:21 PM, Chris Palmer <palmer@google.com> wrote: > > On Sat, Dec 27, 2014 at 3:12 PM, Jeffrey Walton <noloader@gmail.com> wrote: > > > >> In this thread ( https://www.ietf.org/mail-archive/web/websec/current/msg02261.html), > >> Chris Palmer suggested using shame as a security control. > > > > No, I did not. I hope that people followed the link and read the post. > > Sorry to further this (but its important for me to understand). Here > was the statement: > > If the device manufacturer is also taking administrative > control over devices in the field, then market pressure > such as those articles) is the only recourse. > > So are you stating market pressure and public humiliation is not shaming? Chris did not say public humiliation. That is a subjective interpretation, but is not what was stated. > > Or are you stating that shame is not a security control? > > Or something else? > > (I agree with "shame is not a security control", but I understand the > usefulness of shame and public humiliation. It seems other find shame > useful, too, like Certificate Transparency). Certificate Transparency is not a shame mechanism. It is a compliment and technical control to what in theory occurs in an audit, but not in practice.
Received on Sunday, 28 December 2014 21:47:24 UTC