On 12/8/2013 1:59 PM, Robin Wilton wrote:
Nick, > I agree that there is a cost threshold for signature/MAC. It is something I uncovered in my PKI research: for PKI-enabled micropayments it is, arguably, not worth signing the public key involved, if the number of disputed payments is at normal levels... because normal levels, for most micropayment applications, are low. It's more cost-effective to simply refund the tiny minority of disputed payments.
It seems like a threat model that assumes the sole risk is disputed payments "at the normal rate" is broken in the presence of automated attacks.
I don't think the NSA is the only bad actor, in the short term, for-profit criminal groups seem more likely to do active or tailored attacks. This can result in bursts of fraud and/or malware affecting particular clients or sites disproportionately.
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
