[11755] in Commercialization & Privatization of the Internet
Re: Random Thoughts Regarding RSA/NCSA/EIT
daemon@ATHENA.MIT.EDU (Rob Raisch, The Internet Company)
Sun Apr 17 17:41:06 1994
Date: Sun, 17 Apr 1994 12:31:39 -0700 (PDT)
From: "Rob Raisch, The Internet Company" <raisch@internet.com>
To: "Kent W. England" <kwe@cerf.net>
Cc: Brian Hawthorne - SunSelect Strategic Marketing <brianh@suneast.east.sun.com>,
com-priv@psi.com
In-Reply-To: <199404152350.QAA27709@is.internic.net>
On Fri, 15 Apr 1994, Kent W. England wrote:
> What if we just use the key-pair for greater security between one buyer and
> one seller for a sequence of transactions over time?
Ok, now I have to manage potentially thousands of different key-pairs.
> Assume we still use credit card numbers for the financial part.
Will your bank accept a transaction from you once they know from whence
the transaction originates? Has anyone asked them? Are there any
representatives of financial institutions here on com-priv?
> Keep your private key on your portable PC.
Ok, now I need a portable PC.
And more importantly, I need to know what the potential personal financial
risks are in using on-line transactions. I have an inkling of them but do
most people?
Explain to the typical Prodigy or America Online user what the risks
really are. Explain to typical SLIP users why it's not such a good
idea to keep their private keys on-line. Explain to me how a SLIP or PPP
enabled machine is guaranteed to be secure.
The real problems are educational. The fact is, we are talking about
human nature here. System admins can't get users to select secure login
passwords. How do we expect to manage this? It's a chicken and egg
problem. Until there is an on-line commerce worth bothering about, there
won't be any interest from real software developers in creating the tools
required.
I am worried that we are talking about technological solutions to seemingly
simple problems without thinking the whole thing through. (Obviously,
there are far greater minds at work here than mine, but I worry about
there things.)
During the Morris Worm incident, I was working for Michigan State
University. Through the diligence of a select few network admins, MSU was
never "infected." But living through that and doing a very little
research, I found out something quite interesting. Sun knew of the
sendmail debug weakness and the ftp cd hole. In fact, both were well
known "features" in the BSD communities. I went on record saying that the
REAL criminals were Sun, DEC, and HP, for shipping operating systems that
they KNEW to be insecure.
I understand the risks involved in using my credit cards. I understand
the risks involved in sending cash through the mails. I understand the
risks in leaving my wallet on the front seat of an unlocked car.
I do not understand the risks involved in on-line commerce. And I do not
think that ANYONE really does. Yet.
> Mail order companies thrive using phones and credit cards and they never
> need to see faces or fingerprints. Pizza delivery companies are the same.
> As long as each transaction is small, the risk is small.
How many transactions with how many sellers can I enter into at one moment
in the real world? How simple do you think it might be to purchase $10 of
data from 50,000 sources in the course of an hour, on-line?
Half a million here, a half a million there...pretty soon we're talking
about real money.
</rr>
