On Mon, Sep 16, 2002 at 09:57:13PM -0500, Ted Lemon wrote: | >Relevence to the Pd debate is that banks may in future insist on remote | >attestation of users' software (however practically possible that is) | >so | >that they can attempt to dump yet more liability on their users | >("Ladies and | >gentlemen of the jury, Mr Doe's claim that he did not authorise this | >transfer to a Caribbean account is obviously fraudulent as his Fritz | >chip | >proved to us that his system had not been compromised"...) | | Banks typically aren't that sophisticated. Demand for this capability | probably will not materialize in time to save Pd, although there are | probably people working for banks who will claim that they want it.
As soon as you start doing this, it becomes clear what a nightmare it is for the bank to try to learn anything about its customers. Firstly, its customers are diverse, and the breadth of information you get is large. Second, what you learn falls into three categories "known good," "unknown," and "known bad." Smart security people want to say what is not explicitly ok is bad. That means most of your customers have bad software, and lots of it. Do you deny them access? Ask that they upgrade? Are you responsible if their upgrade breaks things? Now, lets say you don't tell the customer with known bad software to go away, because you value their business. Are you now culpable in some way? After all, you *knew* that client was comprimised... PS: Hi Ashish! :) -- "It is seldom that liberty of any kind is lost all at once." -Hume --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]