I wrote about Java-bashing relative to security in e-commerce:
>>Naturally I understand the logic behind these, but it's a bit like saying
>>"We won't sell anyone a car unless it's burglarproof." People use their
>>cars quite a bit even though they're expensive and risk of being stolen.
At 10:15 AM 7/27/99 -0500, William H. Geiger III wrote:
>Yes but they are not using them to carry around my bank balance either.
>When we start talking about the security of trillions of dollars in e-comm
>transactions the incentives are very high to break the system.
There have often been times when my bank balance was significantly less
than the value of my car, but I agree the analogy can't be pushed much
farther.
If someone goes on-line with a Java based e-commerce product that completes
transactions at a lower cost, they will find a huge market, regardless of
the glaringly obvious security problems with doing this. They'll just say,
"It's secure because it makes innovative use of the PKI" and peoples' eyes
will glaze over.
If I sound cynical, it's because I spent several years trying to find a
market for high assurance security products. You can sell them to
individual customers after you've patiently explained the benefits, but the
market winners are the products that sell themselves without needing a lot
of explanation: those that are convenient and/or fast.
Maybe people see things differently in the newly evolving world of
e-commerce: are there customers (VPs with Real Money) clamoring for higher
security assurance? Common Criteria evaluations? Anything like that? Are
people really using products like HP's Virtual Vault? I got the impression
that, like us, HP's struggling to find people who realize it's what they need.
Regarding this Security Lab to Certify Banking Applications: I think it'll
last until the seed capital runs out unless they establish a consortium of
insurance companies and tie their evaluations to the availability of
liability insurance. Sort of like Underwriters Laboratories and household
fire insurance. Otherwise, nobody is going to care about their seal of
approval.
Rick.
[EMAIL PROTECTED]
