[13601] in cryptography@c2.net mail archive
Re: The real problem that https has conspicuously failed to fix
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Thu Jun 12 11:07:35 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 12 Jun 2003 08:35:03 -0600
To: "James A. Donald" <jamesd@echeque.com>
From: Anne & Lynn Wheeler <lynn@garlic.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <3EE78EF4.23167.253CC47@localhost>
At 08:20 PM 6/11/2003 -0700, James A. Donald wrote:
>I think you have put your finger right on the problem.
>Certificates, https, and the entire PKI structure were designed
>for an accountless world, but the problem is accounts.
or slightly more accurately doing authentication for accounts. the other is
frequently confusing identification with authentication. the internet
registries (both domain and ip-address) haven't been doing authentication
... but just some simple identification. there are situations where
identification may quite orthogonal to whether or not you are the owner of
the account in question. also, identification also tends to open up the
whole can of worms around protecting privacy. as periodically stated (in
reference to x9.59) thick blanket of encryption protecting privacy
information is good, the information not being there at all is even better.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
