minor addenda about speeds & feeds concerning the example of mid-90s payment 
protocol specification that had enormous PKI/certificate bloat ... and SSL.

The original SSL security was predicated on the user understanding the 
relationship between the webserver they thought they were talking to, and the 
corresponding URL. They would enter that URL into the browser ... and the 
browser would then establish that the URL corresponded to the webserver being 
talked to (both parts were required in order to create an environment where the 
webserver you thot you were talking to, was, in fact, the webserver you were 
actually talking to). This requirement was almost immediately violated when 
merchant servers found that using SSL for the whole operation cost them 90-95% 
of their thruput. As a result, the merchants dropped back to just using SSL for 
the payment part and having a user click on a check-out/payment button. The 
(potentially unvalidated, counterfeit) webserver now provides the URL ... and 
SSL has been reduced to just validating that the URL corresponds to the 
webserver being talked to (or validating that the webserver being talke
d to, is the webserver that it claims to be; i.e. NOT validating that the 
webserver is the one you think you are talking to).

Now, the backend of the SSL payment process was SSL connection between the webserver and 
a "payment gateway" (sat on the internet and acted as gateway to the payment 
networks). Moderate to heavy load, avg. transaction elapsed time (at payment gateway, 
thru payment network) round-trip was under 1/3rd of second. Avg. roundtrip at merchant 
servers could be a little over 1/3rd of second (depending on internet connection between 
the webserver and the payment gateway).

I've referenced before doing BSAFE benchmarks for the PKI/certificate bloated 
payment specification ... and using a speeded up BSAFE library ... the people 
involved in the bloated payment specification claimed the benchmark numbers 
were 100 times too slow (apparently believing that standard BSAFE library at 
the time ran nearly 1000 times faster than it actually did).

When pilot code (for the enormously bloated PKI/certificate specification) was 
finally available, using BSAFE library (speedup enhancements had been 
incorporated into standard distribution) ... dedicated pilot demos for 
transaction round trip took nearly minute elapsed time ... effectively all of 
it was BSAFE computations (using dedicated computers doing nothing else).

Merchants that found using SSL for the whole consumer interaction would have 
required ten to twenty times the number of computers ... to handle equivalent 
non-SSL load ... were potentially being faced with needing hundreds of 
additional computers to handle just the BSAFE computational load (for the 
mentioned extremely PKI/certificate bloated payment specification) ... and 
still wouldn't be able to perform the transaction anywhere close to the elapsed 
time of the implementation being used with SSL.

virtualization experience starting Jan1968, online at home since Mar1970

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to