OK, but in the interests of mutual group understanding, lets not call non-chains chains. So, I must ask the question "When is a chain, not a chain?" I have never seen a chain that had more than one strand of links. Tire "chains" are not a chains. They are a set of chains linked together to wrap around a three dimensional tire, which cannot be done with a single "chain"? Do you think that when chains are linked in parallel, with multiple paths in parallel, which formed some kind of maze, that somehow this makes it not susceptible to our weakest link problem. By my logic, putting a strong link in parallel with a weak link, does nothing to increase the strength of a maze of chains, in terms of making it harder to break security. there still remains a weakest path, which uses that path with the weakest link. So, I suggest we stop messing with such messy use of language and begin to agree on the meaning of our words. So "What is a chain?" Until we can decide what is a chain, all discussion about chains is just a waste of time. Cheers...\Stef At 21:35 -0700 6/9/03, Hallam-Baker, Phillip wrote: >That depends how you connect the links. > >A serial chain is only as strong as its weakest link. > > >Metaphor is no substitute for analysis, as stephen jay gould frequently >obsered humans are poor judges of probability > > -----Original Message----- >From: Einar Stefferud >Sent: Mon Jun 09 20:38:27 2003 >To: Hallam-Baker, Phillip >Cc: ietf@ietf.org >Subject: RE: Certificate / CPS issues > >Seems to me that if it is a chain (?) ... >Then it is only as strong as its weakest link, which ever link it might >be...\Stef > >At 20:11 -0700 6/9/03, Hallam-Baker, Phillip wrote: > >Number of steps is not a determinant of security. > > > >Strength of each step and of the agregate chain is what matters. > > > >Strength comes from discipline and process. > > > >The surest way to create insecurity is to fear everything you cannot >control > > > > > > > > -----Original Message----- > >From: Christian Huitema > >Sent: Mon Jun 09 17:32:51 2003 > >To: Hallam-Baker, Phillip; ietf@ietf.org > >Subject: RE: Certificate / CPS issues > > > > > I dispute the lower risk claim. You have more control. More control > >does > > > not mean less risk. > > > >The PKI and the PGP model both have risks, just different risks. The PGP > >model only involves the two parties; it brings the risk that the two > >parties misidentify each other. The PKI model involves a third party, > >supposedly trusted by both players; it brings the risk that the third > >party may make mistakes, or that the two parties mistakenly assign too > >much trust to a third party. Also, any large centralized service is > >bound to become a target for government and other entities. > > > >-- Christian Huitema