Ian G wrote, On 2008-12-30 05:36: > Right, you are correct that those who built the process were orienting > SSL to credit cards and protection from eavesdropping.
The designers of SSL knew from the beginning of the many many uses that SSL had. The emphasis in the PR story for SSL was around credit cards to promote ecommerce, because theft of credit card numbers was the problem that the consumer understood and feared, but it was not the only problem they sought to solve. In fact there was an earlier protocol designed specifically for the credit card problem, known as SET, and Netscape worked on SET before SSL. SSL grew out of a recognition that the problem space was much larger than credit cards and that SET was inadequate for that larger problem space. Netscape promoted SSL for use to protect ALL connection-oriented (TCP-based) protocols. They used it for web browsing (https), email (POP3S, IMAPS, SMTPS) and newsgroups (snews), and for Directory Service (X.500 LDAPS). In fact, as you may recall, Netscape's own newsgroup server (the forerunner of news.mozilla.org) was ONLY accessible via snews. > However those who used the result -- the market place -- ignored all > that. In particular, the vast number of users look to three major uses: > > * protection of non-ecommerce but still sensitive data > * online banking > * compliance (credit card processing) These were all among the uses envisioned for SSL. There were still others that have not yet become wide-spread. > That last is the old story. > > What is particularly interesting here is that the online banking *is* > financially oriented, but SSL is not particularly good at it, has never > really been adequate or even compelling. Ian, You're continuing to use the term "SSL" to describe something that is FAR more than SSL. The SSL protocol is VERY good at what it does, and is particularly good for online banking. IINM, the browser UI experience that goes with https is the issue to which you are referring. I would appreciate it if you would not call that SSL, because that is NOT SSL. > Hence the green EV thing, Which is in no way an alteration or replacement for SSL. > hence the original companies involved now sell other stuff to banks, and > certificates have a sort of "embarrassing relative" feel to them. LOL. >> I honestly don't believe that it should be limited to financial >> services (including due diligence related to providing financial >> instruments including credit card numbers over the net between the >> cardholder and the merchant). But, that's what we currently have, >> because the inertia is so entrenched that nobody has ever been able to >> convince the browser vendors that it might even remotely be a good >> idea. The use of SSL and PKI is not limited to financial services. Not even close. > Right. We have this obsession with protecting the old vision. The old vision was to use SSL for every application protocol supported. There is indeed an obsession with that. Every day, I use every one of the protocols I mentioned above over SSL (https, POP3S, IMAPS, SMTPS, SNEWS and LDAPS). _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
