At 09:49 AM 11/5/2001, [EMAIL PROTECTED] wrote: >I tend to agree with you that we should extend the meaning >of end-to-end to mean user-to-user, instead of device or >token-to-token.
I'm not sure what this means. If we get really specific, then a transaction between me and a small used-book seller consists of a transaction between individual humans, but my transactions with Amazon involve an abstract entity represented by teams of humans. Presumably my latest transaction still proceeds even if the first person to process it at Amazon quits before the package is shipped. That's not so clear if the bookseller drops dead. If we look at authentication as an engineering problem, then you can only 'authenticate' between entities that share some fairly complex secret information. Anything else can be spoofed pretty easily. I don't think it's practical to speak of strong, network based authentication between 'users' unless we tie them to physical devices that store those secrets (private keys, etc.). Of course, this distinction simply illustrates the gap between our policy objectives (authenticate particular roles and/or entities) versus the available tools (verify ownership of hard to forge credentials). Rick. [EMAIL PROTECTED] roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]