Longer or more meetings?

[Eric Rescorla]

Marshall Rose <mrose@dbc.mtview.ca.us> writes:
> > > i think that it's really
> > >
> > >	just enough quality delivered in a timely fashion
I elided it because I don't have a problem with this, and so
I didn't see any reason to focus on it.

> > On the other hand, there are plenty of examples of protocols which
> > were designed by industry consortia that are badly flawed because
> > they didn't think to consult outsiders with clue (cf. WEP).
> 
> actually, I think the WEP guys don't consider their stuff badly flawed,
> where folks differ with them is what the requirements are for the
> problem being solved.  (obviously, the security community doesn't agree
> with the requirements that the WEP guys decide to meet.)
You mean like the requirement that it actually provide security?

I'm sorry but I don't agree with this assessment. I wasn't that
close to the situation, but as I understand it the security flaws
in WEP came as a surprise to the WEP designers--certainly the
Shamir RC4 key schedule attack was a surprise to everyone.

I don't want to get too deep into the discussion of WEP, but 
I think it actually illustrates an important point. There
are two sorts of complaints about WEP

(1) It doesn't solve the right problems.
(2) It solves the problems it attempts to solve badly.

In general, I have some sympathy for the argument that the WEP guys
saw the requirements differently. There is certainly room for
differing opinions. What I don't have sympathy for is failing to
achieve even those limited goals because the specific mechanisms they
chose were insecure. A little consulting with someone with expertise
would have alleviated this problem. 

-Ekr