Longer or more meetings?

Eric Rescorla EKR <ekr@rtfm.com>
08 Dec 2002 19:02:53 -0800 

Marshall Rose <mrose@dbc.mtview.ca.us> writes:

> > It wouldn't have taken much longer to get it right, but they
> > would have had to get outside help from someone who understood
> > crypto. The source of the problem is that they did not do so.
> 
> eric - the problem is that i think this is speculation on your part. 
In some loose sense.

It's not at all difficult to fix the crypto. Solutions for the specific
problems that Wagner publicized were described almost immediately.
In fact, they were floating around prior to the Wagner paper. Had
the WEP guys engaged someone who understood security, I don't see any
reason why those problems wouldn't have been fixed had the right
people been involved.


> we certainly agree (and randy too!) that the would be a better place if wifi had
> good security (although again, i note that no one seems willing to define this),
I don't think that's actually true. There's been an enormous amount of
discussion in the security community about what the appropriate threat
model and security features for 802.11 should be. If anything, too many
people are willing to say what it should be.

But again, I'd like to emphasize that there are two issues:
(1) What the security model should be.
(2) What the protocol must do to meet (1).

My objection to WEP is not that they didn't get (1) right but that
they didn't get (2) right. And (2) isn't particularly contentious
in the security community.
     
> but there is simply no evidence to suggest that in this case taking more time
> would have resulted in it coming out right.
I never said it would have. The problem was talent, not time.

As for the argument that the security people didn't "stop by", I think
you've got it backwards. When one is designing a security protocol,
which WEP is, one has a responsibility to acquire the correct
expertise, either by learning it oneself or engaging experts. As
far as I can tell, the WEP designers did neither.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/