[MrDarcy]

There aren’t many situations where expecting everyone to explain everything in every detail is correct, but there are some.

Many of those situations where it is OK are down at the foundational level of the internet itself, which is what linode and Drew DeVault were concerned with back in the day.

An example today I’m wrestling with is TLS interception (valid) vs protecting against TLS man in the middle attacks. It’s tough to get people to see it’s an either or situation, they truly are mutually exclusive.

Unless, we walk together through every painstaking detail to reach the necessary conclusion together.

[zdw]

The TLS issue mentioned can be more easily conceptualized if you view the root CA lists as "The people you're OK with MITM-ing you".

And then whether your trust in the browser vendor coalition to push back against and punish even accidental CA malfeasance are reasonable.

[MrDarcy]

The crux of the issue is reasonable people can disagree on what is OK at a large org.

Security, like every human, believes they’re the good guys.

Platform teams cannot enforce the principle of least privilege.

Truly a paradox.

[computerfriend]

I feel like I've been in the same position as you. I ended up not being able to convince those who mattered so I left. Hope you have better luck!