On Mon, 12 Jun 2000, Yuji Shinozaki wrote:
> I think the problem is multi-leveled:
<snip>>
>
> 4. At the practical and everyday level, we can be pretty sure that the
> certs delivered with Netscape and IE are OK. If we go to some fairly
> well-traversed public site using one of these certs, some red flags will
> go up when the you get signature mis-matches... That will tip you off
> that your cert list has been compromised. Besides you could say: "What am
> I risking? I take a no less a risk when I give my credit card to the
> cashier, or when I order that L.L. Bean hunting jacket over the phone.
> Don't bother me with your paranoia."
There in lies part of the problem and also part of the answer on how CA's
should be structured. The market niche for CA's needs to be defined more
clearly. Internet credit card commerce did not start to take off until
last Christmas season when banks generally agreed that a web or internet
credit card transaction classified as a "card not present" transaction,
the same as a mail order telephone transaction. The card card holder is
not liable for misuse or loss. The risk of loss is totally with the
bank and the merchant.
An interesting question is "What less of loss is the bank willing to
absorb before it becomes economically viable for the bank consortiums that
run Mastercard and Visa to begin issuing and mandating the use of the
bank issued cert for transactions?" Implementing or mandating the use I
believe just as big a marketing problem as a technical problem.
Bank 1 : "More secure" Bank 2 : "Less hassle"
Refrain with apologies to the beer industry. ;-)
Compared to the total volume, credit card usage Internet usage is still a
tiny fraction. With Internet time however, I don't wouldn't want to guess
a product life cycle time here.
This leaves 999 (at least) other uses for CA's. Time needs to spent on
how to define these market niche, scale economies and implementation
issues.
Cheers:
-arc
Arley Carter [EMAIL PROTECTED]
Tradewinds Technologies, Inc. www.twinds.com
Winston-Salem, NC USA Network Engineering & Security
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
