Re: A Note About Trust Anchor Key Distribution

2005-07-08 Thread bmanning

nice paper.  note that it claims this paper is being published to 
establish IPR claims.  there is prior art in several vectors.

you may wish to consider the following (although now expired) 
Internet Drafts:

draft-ietf-dnsext-trustupdate-threshold-00

and a similar one authored by Mike StJohns.

that cover the same basic ideas. at least one of
these is being updated and revised.

--bill manning

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Forwarded] RealID: How to become an unperson.

2005-07-08 Thread Dirk-Willem van Gulik

On Tue, 5 Jul 2005 [EMAIL PROTECTED] wrote:

 (currently in Boston, MA, after giving fingerprints at the
 airport immigration)

And you may have then noticed the interesting effect; in Germany we have
mandatory cards - carry them round always - but virtually have to show
them. And only to officials often.

In the US they have no official card - yet even the lowest clerk at the
blockbuster video asks for one...

Dw.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Why Blockbuster looks at your ID.

2005-07-08 Thread Perry E. Metzger

Dirk-Willem van Gulik [EMAIL PROTECTED] writes:
 And you may have then noticed the interesting effect; in Germany we have
 mandatory cards - carry them round always - but virtually have to show
 them. And only to officials often.

 In the US they have no official card - yet even the lowest clerk at the
 blockbuster video asks for one...

Dirk-Willem implicitly asks an interesting question. Answering it
brings us back to security again.

Why does the clerk at Blockbuster want to see your driver's license?
Because his management has been told, by their bank, that if they do
not attempt to verify the identity of credit card users they will risk
their business relationship with the bank. Credit card fraud is far
too prevalent, DVDs are easily resold, and the bank wants to make sure
that they won't get defrauded. Blockbuster also wants to minimize
fraudulent use of credit cards (which they end up eating in some
instances) and the loss of their property (which will never be
returned by someone renting a video with a stolen credit card).

So, because of this, they're under tremendous pressure to look at some
form of identification to try to assure that the person presenting the
credit card is the legitimate owner of the credit card.

As an aside, businesses in European countries often do not operate
with the same sort of business models US companies have to deal with
in this regard. Many of them don't take credit cards at all, or only
started to in the last decade and are not yet suffering from the same
levels of fraud. In many instances, they are also legally constrained
from requesting government issued ID.

So, what is to be done? I would propose that the replacement of the
credit card infrastructure is needed. Fraud is prevalent because of a
massive inherent security flaw in the current system, to whit,
the account number is identical to the payment authenticator, and
you can make a payment merely through possession of a piece of stolen
plastic.

A system in which the credit card was replaced by a small, calculator
style token with a smartcard style connector could effectively
eliminate most of the in person and over the net fraud we experience,
and thus get rid of large costs in the system and get rid of the need
for every Tom, Dick and Harry to see your drivers license when you
make a purchase. It would both improve personal privacy and help the
economy by massively reducing transaction costs.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


WWW 2006 Call For Papers: Security, Privacy Ethics Track

2005-07-08 Thread Angelos D. Keromytis

WWW2006 Refereed Track: Security, privacy  Ethics

Viruses, spyware, and identity theft are turning the World Wide Web into 
a dangerous place. By undermining consumer trust, these problems are 
hampering e-commerce and the growth of online communities. A basic 
lesson is coming home to researchers, operators, and ordinary users 
alike: Security and privacy are not frills or features, but vital and 
enabling building blocks. As Web-based systems take on a physical 
dimension through wireless devices and sensors, and as they absorb 
varied media — from books to online games to home movies — digital 
security is ramifying in its economic and social reach.


This track promotes the view that security, privacy, and sound guiding 
ethics must be part of the texture of a successful World Wide Web. In 
addition to devising practical tools and techniques, it is the duty of 
the research community to promote and guide business adoption of 
security technology for the Web and to help inform related legislation.


The organizers seek novel research in security, privacy, and ethics as 
they relate to the Web, including but not limited to the following areas:


* Biometrics and secure template management
* Digital Rights Management from its technical, ethical, and legal 
perspectives

* Economic / business analysis of Web security and privacy
* Electronic commerce, particularly security mechanisms for e-cash, 
auctions, payment, and fraud detection

* Intrusion detection, insider threats, auditing, and honeypots
* Legal and legislative approaches to issues of Web security and 
privacy

* Location-based services
* Knowledge-based authentication, such as security questions for 
password recovery
* Privacy-enhancing technologies, including anonymity, pseudonymity 
and identity management
* Public-key infrastructure and supporting concepts like digital 
signatures and certification

* Secure and robust management of server farms
* User interfaces as they relate to digital signing, encryption, 
passwords, and online scams like phishing
* Wireless devices that interface with the Web, including RFID, 
sensors, and mobile phones

* Web-services and supporting standards like XML

Chairs

* Ari Juels (RSA Laboratories) (Vice Chair)
* Angelos Keromytis (Columbia University)  (Deputy Vice Chair)

PC Members

* Masayuki Abe (NTT, Japan)
* Kostas Anagnostakis (Univ. of Penn., USA)
* Dan Boneh (Stanford Univ., USA)
* Dario Catalano (l’ENS, France)
* Sabrina de Capitani di Vimercati (Univ. of Milan, Italy)
* Marc Dacier (Eurecom, France)
* George Danezis (Univ. Cambridge, UK)
* Ed Felten (Princeton Univ., USA)
* Kevin Fu (Univ. of Mass, USA)
* Craig Gentry (NTT DoCoMo?, USA)
* Sotiris Ioannidis (Stevens Inst. of Tech., USA)
* Markus Jakobsson (Univ. of Indiana, USA)
* Marc Joye (Gemplus, France)
* Arjen Lenstra (Lucent, Bell Labs, USA and Tech. Univ. Eindhoven, 
The Netherlands)

* Radia Perlman (Sun Microsystems, USA)
* Benny Pinkas (HP Labs, USA)
* Mike Reiter (CMU, USA)
* Eric Rescorla (RTFM Inc., USA)
* Vitaly Shmatikov (UT Austin, USA)
* Jessica Staddon (PARC, USA)
* Dan Wallach (Rice Univ., USA)
* Brent Waters (Stanford Univ., USA)
* Rebecca Wright (Stevens Inst. of Tech, USA)
* Dongyan Xu (Purdue, Univ., USA)
* Yuliang Zheng (Univ. of North Carolina, USA)

For more details, see http://www2006.org/tracks/security.php


The World's WWW Conference

WWW2006 will bring together the international communities of 
researchers, developers and business that drive the Web forward, shaping 
and developing its potential for new areas of communication, research, 
business and public administration.


Since the first international WWW Conference in 1994, this prestigious 
event, organized by the International World Wide Web Conference 
Committee (IW3C2), has provided the annual public forum for 
communicating research and development of the Web infrastructure and 
applications, as well as W3C initiatives.


The fifteenth conference in the series comes to the UK for the first 
time, and to one of the great historical centres of science and 
technology. Edinburgh is Scotland's capital city, home to one of the 
UK's oldest universities, an epicentre of the IT business sector and one 
of the world's great festival cities.


The WWW2006 programme addresses topics in media, e-government, 
e-commerce, education and e-science. The technical programme will draw 
on global research and industrial strengths to provide a strategic forum 
for the dissemination of new techniques and applications throughout the 
research community, the business and company sector and government agencies.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Dan Kaminsky



I'm think you wrong on that one. Financial cost and benefit are easily
assessed on this, and I think the numbers add up. Credit card fraud
costs in the hundreds of billions of dollars a year, much of which
could be eliminated by a change to the sort of system I
mention. That's not a small amount of money. Indeed, it is more than
enough incentive for a major change.

 


Credit card fraud has gone *down* since 1992, and is actually falling:

1992:  $2.6B
2003:  $882M
2004:  $788M

We're on the order of 4.7 cents on the $100.

http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm

If it's any consolation, I was rather surprised myself.

--Dan


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Perry E. Metzger

Dan Kaminsky [EMAIL PROTECTED] writes:
 Credit card fraud has gone *down* since 1992, and is actually falling:

 1992:  $2.6B
 2003:  $882M
 2004:  $788M

 We're on the order of 4.7 cents on the $100.

 http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm

 If it's any consolation, I was rather surprised myself.

I seem to have gotten that one drastically wrong. Thanks for the
more accurate figures.

A back of the envelope calculation makes me think that it is still
more than enough money to provide a good incentive for a change in
systems, though, especially when the cost of the anti-fraud measures
needed at every part of the system are taken in to account.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Adam Fields
On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote:
[...]
 Actually, the people who would have to pay the investment -- the banks
 and merchants -- have an excellent incentive. The loss because of
 fraud is stunningly large. The real issue is that *consumers* have
 little incentive to cooperate with such a system, because thanks to
 the regulations, they suffer virtually no losses if their accounts are
 hijacked.

As I understand it, the merchants bear the entire cost of fraud - the
banks bear almost none - and thus the consumers end up paying for it
indirectly through higher prices. The merchants, however, have very
little control over the infrastructure, which is provided by the
banks, who have little incentive to actually control fraud because
they would bear all of the costs of such, and none of the risk is
theirs.

So the assertion is that consumers and banks have little incentive to
cooperate with such a system, but (some of***) the merchants REALLY
WANT it. However, the system is useless if the consumers don't have
it, and the banks have no incentive to give something to consumers
that's better, because it would cost them money and save them money
that they can currently simply charge the merchants for (fraud).

*** The merchants can be divided into two groups - most of them who
have not been bitten by fraud and will continue to try to pay as
little as possible for credit processing services regardless of
the risk because every little bit eats more into their profit, and
those who have been bitten by fraud, understand the risks, and
will go for paying for for a service that frees them from
additional liability.

Consumers, on the other hand, still have limited incentive to
participate. I'd suspect the NewBanks(TM) would simply have to lure
them with lower interest rates, which they'd find hard to do because
it would cut into their profits, making it difficult to pay for all of
the additional infrastructure they'd need to build.

The system is, of course, pretty much worthless if it's not in the
hands of the vast majority of consumers.

As I said, any sea change like this has to either replace the
traditional credit granting/honoring agencies, or take away enough of
their business that they have no choice but to go along with
it. Assuming that they don't use their considerable existing wealth
and influence to simply make the new products illegal from the get go.

--
- Adam

** I can fix your database problems: http://www.everylastounce.com/mysql.html **

Blog... [ http://www.aquick.org/blog ]
Links.. [ http://del.icio.us/fields ]
Photos. [ http://www.aquick.org/photoblog ]
Experience. [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]