Re: Is cryptography where security took the wrong branch?

2003-09-10 Thread Anne Lynn Wheeler
At 03:39 AM 9/10/2003 -0700, [EMAIL PROTECTED] wrote: There are some other problems w/ using the DNS. No revolkation process. DNS caching third-party trust (DNS admins != delegation holder) Since DNS is a online positive list you change

Re: Is cryptography where security took the wrong branch?

2003-09-10 Thread bmanning
At 03:39 AM 9/10/2003 -0700, [EMAIL PROTECTED] wrote: There are some other problems w/ using the DNS. No revolkation process. DNS caching third-party trust (DNS admins != delegation holder) Given high value /or low trust ...

Re: Is cryptography where security took the wrong branch?

2003-09-09 Thread Anne Lynn Wheeler
At 04:25 PM 9/8/2003 -0700, Joseph Ashwood wrote: Actually they do target very different aspects. SET, 3D-Secure, and any other similar have a different target then SSL. To understand this it is important to realize that instead of the usual view of two-party transactions, credit card transactions

Re: Is cryptography where security took the wrong branch?

2003-09-09 Thread Anne Lynn Wheeler
At 05:19 PM 9/7/2003 -0600, Anne Lynn Wheeler wrote: Out of all this, there is somewhat a request from the CA/PKI industry that a public key be registered as part of domain name registration (no certificate, just a public key registration). Then SSL domain name certificate requests coming into

Re: Is cryptography where security took the wrong branch?

2003-09-09 Thread Anne Lynn Wheeler
At 05:07 PM 9/9/2003 -0700, Joseph Ashwood wrote: Now that the waters have been muddied (by several of us). My point was that 3D-Secure (and SET and whatever else comes along) covers a different position in the system than SSL does (or can). As such they do have a purpose, even though they may be

Re: Is cryptography where security took the wrong branch?

2003-09-08 Thread Ben Laurie
Eric Rescorla wrote: Ben Laurie [EMAIL PROTECTED] writes: Eric Rescorla wrote: Incidentally, when designing SHTTP we envisioned that credit transactions would be done with signatures. I would say that the Netscape guys were right in believing that confidentiality for the CC number was good

Re: Is cryptography where security took the wrong branch?

2003-09-08 Thread Joseph Ashwood
- Original Message - From: Ian Grigg [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 12:01 AM Subject: Re: Is cryptography where security took the wrong branch? That's easy to see, in that if SSL was oriented to credit cards, why did they do SET? (And, SHTTP seems much closer

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Anne Lynn Wheeler
At 03:01 AM 9/7/2003 -0400, Ian Grigg wrote: Reputedly, chargeback rates and fees in the fringe industries - adult for example - can reach 50%. But, instead of denying those uses of the card - hygiene - issuers have encouraged it (...until recently. There is now a movement, over the last year,

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Ben Laurie
Eric Rescorla wrote: Incidentally, when designing SHTTP we envisioned that credit transactions would be done with signatures. I would say that the Netscape guys were right in believing that confidentiality for the CC number was good enough. I don't think so. One of the things I'm running into

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Ian Grigg
Eric Rescorla wrote: Ian Grigg [EMAIL PROTECTED] writes: Eric Rescorla wrote: ... The other thing to be aware of is that ecommerce itself is being stinted badly by the server and browser limits. There's little doubt that because servers and browsers made poorly contrived

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Ian Grigg
Ed, I've left your entire email here, because it needs to be re-read several times. Understanding it is key to developing protocols for security. Ed Gerck wrote: Arguments such as we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs are

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Eric Rescorla
Ian Grigg [EMAIL PROTECTED] writes: Eric Rescorla wrote: Ian Grigg [EMAIL PROTECTED] writes: Eric Rescorla wrote: ... The other thing to be aware of is that ecommerce itself is being stinted badly by the server and browser limits. There's little doubt that because

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Eric Rescorla
James A. Donald [EMAIL PROTECTED] writes: -- On 7 Sep 2003 at 9:48, Eric Rescorla wrote: It seems to me that your issue is with the authentication model enforced by browsers in the HTTPS context, not with SSL proper. To the extent that trust information is centrally handled, as

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Anne Lynn Wheeler
At 09:44 AM 9/7/2003 -0700, Eric Rescorla wrote: Incidentally, when designing SHTTP we envisioned that credit transactions would be done with signatures. I would say that the Netscape guys were right in believing that confidentiality for the CC number was good enough. actually was supposedly no

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Anne Lynn Wheeler
At 12:30 PM 9/7/2003 -0700, James A. Donald wrote: To the extent that trust information is centrally handled, as it is handled by browsers, it will tend to be applied in ways that benefit the state and the central authority. Observe for example that today all individual certificates must be

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Bill Stewart
Ian Grigg wrote: Pretty much. Trust in the certificate world means that a CA has authorised a web server to conduct crypto stuff. and James Donald and Lynn Wheeler also brought up the issues of who's certifying what, True Names, etc. SSL certs are really addressing (I won't say solving, exactly)

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread Ian Grigg
Eric Rescorla wrote: Elasticity is about how much consumption changes when price changes, not about what people who were already going to buy choose to buy. Sorry, Eric, I'm not quite with you on this... You said: Maybe, maybe not. You've never heard of price inelasticity? You haven't

Re: Is cryptography where security took the wrong branch?

2003-09-07 Thread James A. Donald
-- At 12:30 PM 9/7/2003 -0700, James A. Donald wrote: To the extent that trust information is centrally handled, as it is handled by browsers, it will tend to be applied in ways that benefit the state and the central authority On 7 Sep 2003 at 17:19, Anne Lynn Wheeler wrote: Out of

Re: Is cryptography where security took the wrong branch?

2003-09-04 Thread Ed Gerck
Arguments such as we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs are just a marketing way to say that a fraud has become a sale. Because fraud is an hemorrhage that adds up, while efforts to fix it -- if done correctly -- are mostly an

Re: Is cryptography where security took the wrong branch?

2003-09-03 Thread Michael Shields
In message [EMAIL PROTECTED], Ian Grigg [EMAIL PROTECTED] wrote: For example, he states that 28% of wireless networks use WEP, and 1% of web servers use SSL, but doesn't explain why SSL is a success and WEP is a failure :-) Actually, he does; slide 11 is titled Why has SSL succeeded?, and

Re: Is cryptography where security took the wrong branch?

2003-09-03 Thread Peter Gutmann
Ian Grigg [EMAIL PROTECTED] writes: There appear to be a number of metrics that have been suggested: a. nunber of design wins b. penetration into equivalent unprotected market c. number of actual attacks defeated d. subjective good at the application level e. worthless

Re: Is cryptography where security took the wrong branch?

2003-09-03 Thread Eric Rescorla
Ian Grigg [EMAIL PROTECTED] writes: Eric Rescorla wrote: Ian Grigg [EMAIL PROTECTED] writes: I think it's pretty inarguable that SSL is a big success. One thing that has been on my mind lately is how to define success of a crypto protocol. I.e., how to take your thoughts, and my

Re: Is cryptography where security took the wrong branch?

2003-09-03 Thread Michael Shields
In message [EMAIL PROTECTED], Ian Grigg [EMAIL PROTECTED] wrote: One thing that has been on my mind lately is how to define success of a crypto protocol. There are two needs a security protocol can address. One is the need to prevent or mitigate real attacks; the other is to make people feel