[3922] in WWW Security List Archive
Re: Re: More on Certificates - "transmissibility"
daemon@ATHENA.MIT.EDU (David W. Morris)
Sun Dec 29 22:59:28 1996
Date: Sun, 29 Dec 1996 17:48:03 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: si10875@ci.uminho.pt
cc: www-security@ns2.rutgers.edu
In-Reply-To: <9612261626.AA02965@caeiro.ci.uminho.pt>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 26 Dec 1996 si10875@ci.uminho.pt wrote:
> I figured the answer to my question would be the one I got.
> But you have all answered me as if I intended to lend my certificate to some friends,
> and my position is the opposite. I want to sell access to a secure server I want to set up,
> and this transmissibility problem enables that I have more people accesssing my site than
> the clients I have, (my idea is to sell access in a flat rate basis, not per access basis).
> I belive there is nothing you can do about that?
>
> Because the product I want to sell is INFORMATION, and because I want to do it
> in a flat rate basis, the problem of lending the certificate to a friend is different from
> giving the credit card to your wife, your friend using your certificate will cost you nothing.
Well, the responses dealt with the general question you asked. Now you
are more specific about your concern.
An the general answer applies ... if someone loans their certificate out
they risk having their friend run up charges ... in your specific case,
you may have need to rethink your business plan if you really consider
that your service is so valuable that friends will exchange certificates.
A more likely scenario is that one person will go to the trouble to
obtain a certificate and will loan it out to save their friends some
trouble not to avoid payment.
You should first of all clearly document your terms and conditions and
consider legal remedies.
Secondly, you might use cookies to attempt to limit sharing to a
single system. Perhaps combined with a traditional login page with
the salient T&Cs repeated.
Look for multiple concurrent usage as an indicator of sharing.
Don't make your service flat rate ... make it flat rate for
all practical purposes .... 2 or more times 'normal' usage.
Etc.
Dave Morris
