At 03:39 AM 9/10/2003 -0700, [EMAIL PROTECTED] wrote:
There are some other problems w/ using the DNS.
No revolkation process.
DNS caching
third-party trust (DNS admins != delegation holder)
Since DNS is a online positive list you change
At 03:39 AM 9/10/2003 -0700, [EMAIL PROTECTED] wrote:
There are some other problems w/ using the DNS.
No revolkation process.
DNS caching
third-party trust (DNS admins != delegation holder)
Given high value /or low trust ...
. recent SET refs:
http://www.garlic.com/~lynn/aadsm15.htm#0 invoicing with PKI
http://www.garlic.com/~lynn/aadsm15.htm#2 Is cryptography where security
took the wrong branch?
http://www.garlic.com/~lynn/aadsm15.htm#3 Is cryptography where security
took the wrong branch?
--
Anne Lynn Wheelerhttp
At 05:19 PM 9/7/2003 -0600, Anne Lynn Wheeler wrote:
Out of all this, there is somewhat a request from the CA/PKI industry that
a public key be registered as part of domain name registration (no
certificate, just a public key registration). Then SSL domain name
certificate requests coming into
At 05:07 PM 9/9/2003 -0700, Joseph Ashwood wrote:
Now that the waters have been muddied (by several of us). My point was that
3D-Secure (and SET and whatever else comes along) covers a different
position in the system than SSL does (or can). As such they do have a
purpose, even though they may be
Eric Rescorla wrote:
Ben Laurie [EMAIL PROTECTED] writes:
Eric Rescorla wrote:
Incidentally, when designing SHTTP we envisioned that credit
transactions would be done with signatures. I would say that
the Netscape guys were right in believing that confidentiality
for the CC number was good
- Original Message -
From: Ian Grigg [EMAIL PROTECTED]
Sent: Sunday, September 07, 2003 12:01 AM
Subject: Re: Is cryptography where security took the wrong branch?
That's easy to see, in that if SSL was oriented
to credit cards, why did they do SET? (And,
SHTTP seems much closer
At 03:01 AM 9/7/2003 -0400, Ian Grigg wrote:
Reputedly, chargeback rates and fees in the fringe
industries - adult for example - can reach 50%. But,
instead of denying those uses of the card - hygiene -
issuers have encouraged it (...until recently. There is
now a movement, over the last year,
Eric Rescorla wrote:
Incidentally, when designing SHTTP we envisioned that credit
transactions would be done with signatures. I would say that
the Netscape guys were right in believing that confidentiality
for the CC number was good enough.
I don't think so. One of the things I'm running into
Eric Rescorla wrote:
Ian Grigg [EMAIL PROTECTED] writes:
Eric Rescorla wrote:
...
The other thing to be aware of is that ecommerce itself
is being stinted badly by the server and browser limits.
There's little doubt that because servers and browsers
made poorly contrived
Ed,
I've left your entire email here, because it needs to
be re-read several times. Understanding it is key to
developing protocols for security.
Ed Gerck wrote:
Arguments such as we don't want to reduce the fraud level because
it would cost more to reduce the fraud than the fraud costs are
Ian Grigg [EMAIL PROTECTED] writes:
Eric Rescorla wrote:
Ian Grigg [EMAIL PROTECTED] writes:
Eric Rescorla wrote:
...
The other thing to be aware of is that ecommerce itself
is being stinted badly by the server and browser limits.
There's little doubt that because
James A. Donald [EMAIL PROTECTED] writes:
--
On 7 Sep 2003 at 9:48, Eric Rescorla wrote:
It seems to me that your issue is with the authentication
model enforced by browsers in the HTTPS context, not with SSL
proper.
To the extent that trust information is centrally handled, as
At 09:44 AM 9/7/2003 -0700, Eric Rescorla wrote:
Incidentally, when designing SHTTP we envisioned that credit
transactions would be done with signatures. I would say that
the Netscape guys were right in believing that confidentiality
for the CC number was good enough.
actually was supposedly no
At 12:30 PM 9/7/2003 -0700, James A. Donald wrote:
To the extent that trust information is centrally handled, as
it is handled by browsers, it will tend to be applied in ways
that benefit the state and the central authority. Observe for
example that today all individual certificates must be
Ian Grigg wrote:
Pretty much. Trust in the certificate world means that
a CA has authorised a web server to conduct crypto stuff.
and James Donald and Lynn Wheeler also brought up the issues
of who's certifying what, True Names, etc.
SSL certs are really addressing (I won't say solving, exactly)
Eric Rescorla wrote:
Elasticity is about how much consumption changes when price
changes, not about what people who were already going to buy
choose to buy.
Sorry, Eric, I'm not quite with you on this...
You said:
Maybe, maybe not. You've never heard of price inelasticity?
You haven't
--
At 12:30 PM 9/7/2003 -0700, James A. Donald wrote:
To the extent that trust information is centrally handled,
as it is handled by browsers, it will tend to be applied in
ways that benefit the state and the central authority
On 7 Sep 2003 at 17:19, Anne Lynn Wheeler wrote:
Out of
Arguments such as we don't want to reduce the fraud level because
it would cost more to reduce the fraud than the fraud costs are just a
marketing way to say that a fraud has become a sale. Because fraud
is an hemorrhage that adds up, while efforts to fix it -- if done correctly
-- are mostly an
In message [EMAIL PROTECTED],
Ian Grigg [EMAIL PROTECTED] wrote:
For example, he states that 28% of wireless
networks use WEP, and 1% of web servers use SSL,
but doesn't explain why SSL is a success and
WEP is a failure :-)
Actually, he does; slide 11 is titled Why has SSL succeeded?,
and
Ian Grigg [EMAIL PROTECTED] writes:
There appear to be a number of metrics that have been suggested:
a. nunber of design wins
b. penetration into equivalent unprotected market
c. number of actual attacks defeated
d. subjective good at the application level
e. worthless
Ian Grigg [EMAIL PROTECTED] writes:
Eric Rescorla wrote:
Ian Grigg [EMAIL PROTECTED] writes:
I think it's pretty
inarguable that SSL is a big success.
One thing that has been on my mind lately is how
to define success of a crypto protocol. I.e.,
how to take your thoughts, and my
In message [EMAIL PROTECTED],
Ian Grigg [EMAIL PROTECTED] wrote:
One thing that has been on my mind lately is how
to define success of a crypto protocol.
There are two needs a security protocol can address. One is the need
to prevent or mitigate real attacks; the other is to make people feel
23 matches
Mail list logo
