[11730] in Commercialization & Privatization of the Internet
Random Thoughts Regarding RSA/NCSA/EIT
daemon@ATHENA.MIT.EDU (Rob Raisch, The Internet Company)
Sat Apr 16 01:58:29 1994
Date: Fri, 15 Apr 1994 10:57:55 -0700 (PDT)
From: "Rob Raisch, The Internet Company" <raisch@internet.com>
Reply-To: "Rob Raisch, The Internet Company" <raisch@internet.com>
To: Brian Hawthorne - SunSelect Strategic Marketing <brianh@suneast.east.sun.com>
Cc: com-priv@psi.com
In-Reply-To: <9404142111.AA07501@sea.East.Sun.COM>
---------
Apologies beforehand for the rambling nature of this. Spent the night
doing taxes. Mea culpa. Also, I'll admit I am not overly familiar with
the mechanics of the existant public key packages. I've never had any
reason to learn them.
---------
Please don't assume that I am anti-commerce on the Internet. Anyone who
knows me or my work on this list will realize that that would be a mistake.
Please do not assume that I am fundamentally against online commercial
transactions. I am not. Not by a long shot. I would love to be able to
sell my customer's data to the Internet community. And in some limited
ways, I do. It's just very difficult for me to get excited by
RSA/NCSA/EIT and what they are planning, for the following reasons...
---------
Excuse me, but if my login is cracked and my private key -- which one
must infer is kept in some form in my account -- is filched, I am no long
exclusively "me." No?
---------
How many apparently random digits make up my private key? 32? 64? Not
something I am overly excited about having to memorize. So, the key seals
the deal, but anyone who knows my dog's name can have access to my
purchasing power? Hmmmm....
---------
I believe that soft or abstract identification -- by itself -- will never
be generally useful for Internet commerce. Hell, the problems here are
not technical. They are political and social. Where will I register my
public key? Who manages this information? Who is the authority?
---------
How much of unauthorized purchases am I personally responsible for? If my
Visa is pinched, I'm only liable for the first $50, I think. What banks
currently accept online transactions? I know of none. What federal
agency oversees online transactions?
---------
How can I be assured that my purchases to X Corp. are not being monitored
by others? How can I be sure that the moment I buy anything online that
my purchasing habits are not being monitored?
I use EDI to purchase 30,000 left-handed widgets. My competitors gain
access to this information and learn my company's next big marketing push.
Remember: There is a BIG BIG difference between pointo to point
communications and packet switching.
Do YOU know how many companies are aware of the fact that you recently
purchased that rubber novelty via mail order?
---------
In fact, there is an interesting analogy here with mail order. But as a
merchant in mail order, I am not allowed to deliver product to a P.O. Box.
This is because the extra level of indirection to the recipient is
considered risk. Strong enough risk, in fact that I am not allowed to
deliver to this kind of customer.
---------
My ATM (Automated Teller Machine) card is protected by an abstraction: my
PIN. I memorize my PIN, insert my card, type in the PIN, and I get
cash. But woe unto me if I mistype the PIN three times. The verdammt
machine eats my card! Hmmm... more management of risk. I can only take
out $500 per day. Again, management of risk.
---------
What are the risks involved in online transactions? Do we really know?
If I am not exclusively "me", what risk does that represent?
I am "me" because of my face and my fingerprints and because I know you
and have known you for years. Identity in the real world is based on
something physical. Or it's an extension of something physical.
"There is no there, there." -Gibson
Online, there is no geography or geometry. There is no physical component
to data.
---------
I guess that I'm not holding my breath for a time when I can conduct an
entire transaction online.
---------
Mosaic has other problems as a useful platform for Internet commerce, not
the least of which is the fact that comparitively few users of the global
Internet have access to workstations supporting the necessary
capabilities to run Mosaic in any reasonable fashion. How big a pipe is
required to REALLY run Mosaic?
---------
Conservative Estimates:
Current Internet Popluation: 25 million
Registered Hosts: 2 million
Number of Registered Hosts with Graphics/Bandwidth: 500,000
Conclusion: 98% of the global Internet cannot currently use Mosaic.
---------
It's interesting to note that when you talk to technologists, it becomes
clear that public key cryptography, the World-Wide Web and Mosaic are
marvelous answers to the problems of identity, commerce and publishing,
but when you talk to banks and publishers, the response is far less than
you might expect.
---------
Mosaic is really a poor publishing platform -- if you talk to publishers
-- because it allows the consumer too much control over the presentation
and structuring of information. Publishing is really the imposition of
control over the creative chaos of the author. Control over content.
Control over presentation. Control over distribution and access.
---------
When I first showed Mosaic to a newspaper publisher, he was excited by
its capabilities. In fact, the response was overwhelming until I
demonstrated Mosaic's option to change the presentation font. My
publisher friend's jaw hit the floor. I then resized the window to show
other tools and Mosaic dutifully reformated all of the document's
elements to fit in the window. I thought my friend would faint.
Needless to say, he was less excited when he left -- by at least an order
of magnitude.
---------
Mosaic is a publishing tool designed by technologists, not publishers.
This is a problem. A big one.
---------
Mosaic sells well to: Until:
Advertisers They ask for demographics.
Publishers They ask for presentational control.
Users They understand the cost.
-- </rr> Rob Raisch, The Internet Company
