ietf-smime
[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-08 09:27:52

--On Friday, January 09, 2009 02:17:44 AM +1300 Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> wrote:

Jeffrey Hutzelman <jhutz(_at_)cmu(_dot_)edu> writes:

Note that charging a fee for this service is not absurd.  Lots of people
(consumers) pay fees for up-to-date lists of virus signatures, phishing
sites, spam-blocking rules, and so on.

Conceptually it's not absurd, but how are you going to persuade a
billion-odd users that they need to pay for something that they've been
conditioned to get for free?  Will you promise to indemnify them against
identity theft (via phishing) if they sign up to your service?  What
value-add will you offer that will convince the drool-and-click masses to
pay for your service?

Convince the insurance companies to give discounts on "identity theft" insurance (yes, this product exists and is pretty common; it covers the costs of tracking down and fixing the results of fraud that, under the present system, are borne _not_ by the banks or merchants but by the individual who was impersonated).

Convince the security software companies to add this service to their bundles. Plenty of people buy that stuff.

Convince the banks to change their rules to make you responsible for unauthorized access if it would have been prevented by such a service and you weren't using one.

-- Jeff