[14070] in cryptography@c2.net mail archive
Re: Is cryptography where security took the wrong branch?
daemon@ATHENA.MIT.EDU (Ian Grigg)
Sun Sep 7 18:32:27 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 07 Sep 2003 15:14:06 -0400
From: Ian Grigg <iang@systemics.com>
Reply-To: iang@systemics.com
To: EKR <ekr@rtfm.com>
Cc: crypto <cryptography@metzdowd.com>
Eric Rescorla wrote:
...
> > The other thing to be aware of is that ecommerce itself
> > is being stinted badly by the server and browser limits.
> > There's little doubt that because servers and browsers
> > made poorly contrived decisions on certificates, they
> > increased the overall risks to the net by reducing the
> > deployment, and probably reduced the revenue flow for
> > certificate providers by a factor of 2-5.
> I doubt that. Do you have any data to support this claim?
Sure. SSH.
It's about take up models. HTTPS'
model of take-up is almost deliberately designed
to reduce take-up. It uses a double interlocking
enforcement on purchase of a certificate. Because
both the browser and server insist on the cert
being correct and CA-signed and present, it places
a barrier of size X in front of users.
Instead, if there were two barriers, each of half-X,
being the setup of the SSL server (a properly set
up browser would have no barrier to using crypto),
and the upgrade to a CA-signed cert, then many more
users would clear the hurdles, one after the other.
How high can you jump? When I was young we used
to do this high jump thing, where we'd get up to
5 feet or so.
I could never do 6 feet. I couldn't even do 4 feet
these days, but, I could do any number of 3 feet jumps.
I could probably even do a few 3 feet jumps these days.
(In that youth, we called them by feet. These days,
a one metre jump looks more imposing...)
I'm curious. You really think that in order to sell
certificates, the best thing is to make them hard to
use? Is this a "quality" argument?
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
