ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?]

2003-12-21 14:09:37
from [Masataka Ohta] [Permanent Link] 
Parry Aftab;


What do you suggest short of an absolute guarantee?


Common senses.


How do I advise consumers to tell the difference between legitimate
e-mails with embedded links and the phished ones using spoofed sites?


What if, you go to a branch office of a bank and, in a lobby of the
bank, hand a 1M USD of cash to some person whom you don't know but
who claims to be a personnel of the bank?


I am concerned that this could seriously undermine the use of e-mail and
websites for e-commerce and financial transactions.


Exactly.

Who said e-mail and websites are useful for e-commerce and
financial transactions with absolute guarantee?

They are only as trustworthy as e-commerce and financial
transactions over e-phones (note that most phones are
electric).

If some reseachers of cryptography have convinced you
differently, it is merely that they are more elegant
in deceiving you than most spammers.

If you want to use cryptographic technology, shared
secret cryptography works. That is, you share long
enough secret directly with a bank and have a transaction
with challenge and response authentication, the transaction
is as reliable as a bank personnel you directly know.

However, PKI does not help e-commerce or financial transactions,
as discussed in my recent paper: "Meaninglessness of Public
Key Cryptography for Authentication on Consumable Credential"
(presented in Japan in Japanese):

        Abstract: For electric transactions, the essential benefit
        of public key cryptography over shared key cryptography is
        that it is not necessary to communicate with Certificate
        Authority on each transaction. However, it is meaningless
        to use public key cryptography for authentication on
        consumable credentials, such as authentication of remaining
        credential in account for electric payment, as fraud with
        tremendous damage is easily performed, unless communication
        with authorities to manage the account decrease remaining
        credential is required on each transaction.

The problem of PKI without realtime management of remaining
credential is that an attacker can use 1K USD worth of certs
from 1000 different locations for 1000 seconds 1000 times a
second, total amount of damage of which is 1T USD.

Credential can be created only with direct communication.

                                                Masataka Ohta
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?], Masataka Ohta
Next by Date:  Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?], Dean Anderson
Previous by Thread:  RE: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?], Parry Aftab
Next by Thread:  Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?], frederic . l
Indexes:  [Date] [Thread] [Top] [All Lists]