[Previous] [Next] [Index]
[Thread]
Re: WWW Security and Standards Efforts
>It appears that there are multiple, parallel efforts underway
>regarding various aspects of WWW security. While each may be based on
>RSA and DES technologies, their differing approaches to other aspects
>of the security problem could impede interoperability. In particular,
>CERN, EIT, and the IETF are all in the process of specifying
>approaches for one or more of the following: security mechanism
>negotiation, data encapsulation, and key management.
This is not quite right. CERN and EIT both have proposals concerned with
security. Shen is primarily a trust model and an adaptation of the PEM
standard in the context of HTTP. EIT are concentrating on facilitating
electronic commerce.
The whole point of the web is to be able to integrate different protocols.
So even if S-HTTP were to remain separate there would not be a problem
incorporating it into the web. The best solution is of course to work towards
as much commonality as is possible when working in different continents and
with a ban on the exportation of encryption technologies.
I don't want to end up going to jail and I suspect that the EIT people have
the same general idea. So until our governments decide that it might be a
bit of a silly idea for the US and EU govt's to both fund essentialy the
same work and allow us to move round binaries and source we is in a mess.
If there weren't loonies running round lobbing bombs it would be easier to
get permission to use this stuff. As it is governments are quite justifiably
worried about terrorists getting secure encryption.
On the Electronic commerce stuff we are of course trying to fix up a system
that is ridiculously designed in the first place. The idea of ordering goods
through a credit card number is a very silly one indeed security wise. Because
it is essentially broken we are forced to make work arrounds :-( As it is we
can make the system as secure as ordering by telephone. ie not very secure at
all. How can you trust the person taking the order? We are using all this
very beautifull crypto technology to produce a system that is much weaker
than it could be and requires encryption into the bargain.
The real solution is of course for AMEX, Mastercard and Visa to get their
act together, pay a lump 'o dosh to RSA and produce a secure signature system
which we can then build upon. That is of course an area where EIT hopefully
can put a bit of pressure where it matters. After all if the credit card
companies don't clean up their act they will be taking the massive losses
through fraud which another company can eliminate and thus offer lower
cost.
Finaly, trust is a complex thing. The system I am interested in building is
one which people are psychologically able to trust. Because people are
irrational it is not possible to use technology alone as a solution. People
do not trust what they cannot understand. At the end of the day people will
inevitably require a failsafe to prevent themselves from making costly
mistakes. In my view this failsafe will inevitably involve a bit of plastic
with a chip that can be physically removed from the machine.
As an exercise try to give a possible advantage of using the plastic ball
that allows you to "clean right at the heart of the wash". Micro powders
were technologically possible in the 60s when synthetic soaps became the
norm. They were psychologically unacceptable until someone thought up the
plastic ball.
Phill H-B
Follow-Ups:
References: