On Thu, Aug 29, 2024 at 9:18 PM Viktor Dukhovni via mailop < mailop@mailop.org> wrote:
> On Wed, Aug 28, 2024 at 12:03:01PM -0700, Brandon Long wrote: > > On top of that, if you make such an opt-out available, the people > > using it are not going to be the people who have a level of know-how > > to even come close to being safe. > > That's precisely the power imbalance of market concentration. When you > have hundreds of millions of "users", no one of them is sufficiently > important. > I don't think that directly correlates, no. If we had only 100 users, the chances that all 100 had the proper opsec would be small. If we had a million users, the number that had improper opsec would be large. I'm not sure there's a million people in the entire world that have that level of opsec. Maybe if we only had 100 users, we could individually vet the users to make sure they had the proper opsec. Or have other constraints that would lower the risk threshold that can be used on larger audiences. As for the general statement... I guess at some point as you add users, you start having to make trade-offs instead of simple decisions, and at larger numbers those trade-offs are based on statistics... and the larger the number, the more users are covered even by small false positives. Whether or not you could sustain a market with enough entrants to support the level of importance for a single customer is an interesting question. And whether all of those entrants would need to learn all of the same lessons the hard way. There are clearly a very large number of identity providers on the internet, which is to say every website or service that has a login. Not all of them are protecting the same level of data/resources/adverse effects, but the only benefit to there being such a large number is siloing of failure, which occurs very often. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
