Originally By Jan Shaumann
- Boring is better than clever.
- Explicit is better than implicit.
- Simple is better than complex.
- Complex is better than complicated.
- Failing closed is better than failing open.
- Layers are better than bulwarks.
- Usability counts.
- Integrity without authenticity is rarely what you want.
- ...although confidentiality without authenticity may be ok.
- Shamir's Three Laws still hold.
- And Kerckhoff's Principle extends beyond pure crypto.
- In the face of an audit, refuse the temptation to tick checkboxes.
- Hanlon's Razor is sharp as ever.
- ...although that may not be obvious if you've been here for a while.
- 100% security is impossible.
- ...although raising the bar is often sufficient.
- If the system is hard to explain, it's a bad idea.
- If the system is easy to explain, it may be a good idea.
- Threat models are one honking great idea -- let's do more of those!