[11735] in Commercialization & Privatization of the Internet
Re: Random Thoughts Regarding RSA/NCSA/EIT
daemon@ATHENA.MIT.EDU (Brian Hawthorne - SunSelect Strate)
Sat Apr 16 05:37:02 1994
Date: Fri, 15 Apr 1994 15:52:48 +0500
From: brianh@suneast.east.sun.com (Brian Hawthorne - SunSelect Strategic Marketing)
To: raisch@internet.com
Cc: com-priv@psi.com
> Excuse me, but if my login is cracked and my private key -- which one
> must infer is kept in some form in my account -- is filched, I am no long
> exclusively "me." No?
Private/Public key pairs range in size from 40 bits to 1024 bits, the
larger they are the more secure.
Your private key is usually DES-encrypted with a pass phrase of any
length you want. To be really secure, you should keep even this
encrypted file secure (I keep mine on a PowerBook that runs no
server software--it can access the network, but nobody can access
it. I maintain physical security of the hardware most of the time.
For more security, I could keep the private key file on a floppy disk
and carry it in my shirt pocket).
>
> I believe that soft or abstract identification -- by itself -- will never
> be generally useful for Internet commerce. Hell, the problems here are
> not technical. They are political and social. Where will I register my
> public key? Who manages this information? Who is the authority?
There are many proposed certificate authorities. CommerceNet will be
setting itself up as a certificate authority, and will also certify
other certificate authorities (such as your private company).
> How much of unauthorized purchases am I personally responsible for? If my
> Visa is pinched, I'm only liable for the first $50, I think. What banks
> currently accept online transactions? I know of none. What federal
> agency oversees online transactions?
Chances are that initially, you will actually use your Visa number,
but will send it encrypted to the vendor rather than speaking it
out loud over the telephone.
> How can I be assured that my purchases to X Corp. are not being monitored
> by others? How can I be sure that the moment I buy anything online that
> my purchasing habits are not being monitored?
The same issues apply to existing mail-order companies, who will
probably be the first users of this technology. See the Internet
Shopping Network (http://shop.internet.net) as an example of what
is to come. You must fax your credit card number to them to become
a member, but I'm sure they'll use the RSA-http once it is done.
> I use EDI to purchase 30,000 left-handed widgets. My competitors gain
> access to this information and learn my company's next big marketing push.
You use the telephone to purchase 30,000 left-handed widgets. Same problem.
> Remember: There is a BIG BIG difference between pointo to point
> communications and packet switching.
With public-key encryption, all they can do is analyze your traffic
and know that you had some sort of transaction with company XYZ.
> Do YOU know how many companies are aware of the fact that you recently
> purchased that rubber novelty via mail order?
I only order rubber novelties from companies with a reputation for
discretion. (:-)
> In fact, there is an interesting analogy here with mail order. But as a
> merchant in mail order, I am not allowed to deliver product to a P.O. Box.
> This is because the extra level of indirection to the recipient is
> considered risk. Strong enough risk, in fact that I am not allowed to
> deliver to this kind of customer.
Hmm. I know many people who order products from mail order and have them
delivered to P.O. Boxes. UPS, FedEx and AirBorne cannot deliver to
P.O. Boxes, but that is because the P.O. Boxes are USPS property.
> Mosaic has other problems as a useful platform for Internet commerce, not
> the least of which is the fact that comparitively few users of the global
> Internet have access to workstations supporting the necessary
> capabilities to run Mosaic in any reasonable fashion. How big a pipe is
> required to REALLY run Mosaic?
As long as I avoid video and audio clips, it works fine on my
PowerBook or 486 PC over a 14.4K modem (current cost $149 at Egghead...)
