On Tuesday 25 March 2003 12:07, bear wrote:
> On Tue, 25 Mar 2003, Ian Grigg wrote:
> >Which gets us to the next stage of the
> >analysis (what did they cost!).
> Wait. Time out. <good stuff snipped> ....
> I don't think mere monetary costs are even germane to
> something like this. The costs, publicly and personally,
> are of a different kind than money expresses.
I'm sorry to disagree, but I'm sticking to my
cost-benefit analysis: monetary costs are totally
germane. You see, we need some way in which
to measure the harm. It's either subjective as
you describe above, which can't support an
infrastructure decision, or its objective, which
But, luckily, there is a way to turn the above
subjective morass of harm into an objective
hard number: civil suit. Presumably, (you
mentioned America, right?) this injured party
filed a civil suit against the person and sought
Now, even if the case did not get filed, I imagine
that you would be able to find a few legal types
to provide an upper and lower bound on the sort
of damages that case would go for.
And there's your number! From my ignorant
position, I'd scratch in a figure of about a
million dollars there, and wait for someone
to refine it.
> And we're going
> to continue to have this problem for as long as we continue to
> use unencrypted SMTP for mail transport.
I would agree. Which is why we are having
this discussion - how can we get this poor
victim's traffic onto some form of crypto so
she doesn't get her life ripped apart by some
As far as SSL goes (switching from the
context of her mail to the system we are
discussing here), here's the answer:
Make ADH / self-signed certs a respectable
half-way house to CA-signed certs.
Encourage all servers to accept them, by
Encourage all browsers to switch up to
ADH / self-signed secured traffic. Don't
discourage it, encourage it.
The problem is, it is just too darned hard &
expensive for sites to get into SSL. That's
what we are looking at, here, lowering the
cost of entry into SSL.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]