ietf-asrg
[Top] [All Lists]

RE: [Asrg] New take on emerging idea. (Query/C-R system?)

2003-04-12 04:57:34
If Vernon believes that there is a man in the middle attack possible
in SSL3.0 or TLS he should contact the TLS working group as soon as
possible as they appear to be unaware of such an issue. Probably 
because they don't exist.

                                 And we wouldn't even have 
eCommerce if it
weren't for the trust that we already put in certificate 
authorities like
VeriSign and Thawte.
...

That is technically wrong, although perhaps politically correct.
The politicial aspect is that people who don't have any idea or
interest in the technical details have been helped to overcome
their fears of "eCommerce" by the fig leaf of comemrcial PKI.

Again, I really would not respond, only you do have to keep making
ridiculous statements like this.


Deployment IS a 'political' problem. Therefore the political aspect
is not negligible.

The political issue is the requirement on the part of the credit card
issuers to have sufficient security to ensure that the process
provides an acceptable degree of risk control.

The issue for the credit card companies is providing the customer with
an assurance that the site concerned is a legitimate merchant, even
despite the flaws in the DNS system. Without certificates we would 
regularly have DNS spoofing attacks against Amazon etc.

Vernon appears to be unaware that the principal purpose of the SSL 
protocol is to provide integrity, not confidentiality. This is
quite a common problem amongst amateur security experts. Marc
Andressen once made the same mistake when presenting SSL v1.0 at
MIT. Phil Zimmerman does not make this mistake, thats why its 
Pretty Good Privacy, not integrity, although many people who advocate
PGP as a generic security mechanism do make that mistake.

SPAM is an integrity problem, not a confidentiality problem.


I do not remember Vernon as having any involvement in this area
when the protocols were being developed. Had he played a significant 
role I am sure that I would remember him since I had the payments
brief at W3C at the time these protocols were being developed.


                Phill
 
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg