[9467] in cryptography@c2.net mail archive
Re: [FYI] Did Encryption Empower These Terrorists?
daemon@ATHENA.MIT.EDU (lynn.wheeler@firstdata.com)
Mon Sep 24 16:11:27 2001
To: Ben Laurie <ben@algroup.co.uk>
Cc: cryptography@wasabisystems.com,
Hadmut Danisch <hadmut@danisch.de>, jim_windle@eudoramail.com
Message-ID: <OFB7268323.BC5AEA8F-ON87256AD1.006C2C45@LocalDomain>
From: lynn.wheeler@firstdata.com
Date: Mon, 24 Sep 2001 13:52:05 -0600
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
If it was so easy ... it wouldn't be a problem. An objective of the
original e-commerce deployments was that the account number file not be
co-located on the webserver. Since a large number of subsequent deployments
have co-located on the webserver or on some equally accessable location
would tend to indicate that it isn't as easy as it might first appear.
One might suspect that the definition of "easy" is rather relative ... and
also there may be some questions regarding what aspect of the issues does
"easy" apply to (internet easy, server easy, webserver easy, technology
easy, programming easy, business process easy, process easy, etc).
I would claim that having it become so prevalent after the initial
subsequent deployments would imply that there are at least some issues
involved that make it much more than a simple, straight-forward, brain-dead
matter (if it was trivially obvious for everybody in world, then there is
some rational that nobody would have done in such a way that creates such
security & risk issues).
Ben Laurie
<ben@algroup.co To: lynn.wheeler@firstdata.com
.uk> cc: cryptography@wasabisystems.com,
Hadmut Danisch <hadmut@danisch.de>,
09/24/2001 jim_windle@eudoramail.com
01:32 PM Subject: Re: [FYI] Did Encryption
Empower These Terrorists?
lynn.wheeler@firstdata.com wrote:
>
> there are all sorts of shortcomings in this world. you find a "merchant"
> that buys a computer, installs some webserver software and puts it up and
> the web and expects that to handle everything.
Fine, but that was not the point you claimed to be making. You said:
> The web server
> account number master file also typicall represents a risk that is
> significantly greater than what typical merchant otherwise has at risk
...
> making it difficult to support a solution where the level of
> security/protection is proportional to the risk
but that is simply not true - it is very easy to eliminate this
particular piece of crap design.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
