Re: New Method for Authenticated Public Key Exchange without Digital Certificates

• Previous message: Simon Johnson: "Re: Hacking the DMCA with encryption"
• In reply to: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
• Next in thread: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
• Reply: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 11 Aug 2004 08:21:21 +1000

"Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote in message
news:cfa4f7$e7e$03$2@news.t-online.com...
>
>
> lyal wrote:
> > "Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote:
>
[snip]

> If they use CA, then that's it. If they don't, then that's
> insecure, as you said, right? So what's your point? You want
> just to accept the security risk and do nothing?

No - use other processes to assess and reduce risk. Digitalc ertificfates
and conventional PKI do not fix the trust or authentication problems.

Think and analyse, please
[snip]

> The economy is in the present case is testified by the
> existence of the CA business, I suppose.

If you mean a shrinking number of companies slowly going broke issing SSL
certs, then yes, this testifies to the technical and commercial value of
conventional PKI and CAs.

> BTW, we were talking about credit cards, right? First, as
> said in another follow-up, the card issuer is a CA. Second,
> the card number will be sent to merchant account provider
> and to the bank. There is secure communication involved.
> To obtain that security, certification and hence CA will
> be needed, if I don't err.

BZZZZT.
Card schemes almost never issue any certificates - this is outsroucreced to
others who take the liability to brand and financial loss.

> >>>>involved somewhere, I suppose. Anyway, as I said previously, I
> >>>>don't see how one could establish trust online with a party that
> >>>>one hasn't at least done some business before. (And that is a
> >>>>very common case in e-commerce nowadays in my view.)
> >>>
> >>>True - and it punches a big whole in the concept of doing business with
> >
> > whom
> >
> >>>there has been no prior communication, the nearest thing to a reason in
> >>>favour of PKI in the first place.
> >>
> >>I understand that you are here also in favour of digital signatures
> >>and CAs. Am I right?
> >
> >
> > Sorry, wrong assumption - try again (hint - there is only one other
> > option).
>
> Sorry for being unintelligent and can't catch the hint. Could
> you please explain in some details?

PKI suck as a process to provide trust or confidence in ecomemrce.
Is that clear enough?
Learn, Think, Analyse.

>
> >>There were times where e-mails were clean but now one finds
> >>everywhere spams. Things can evolve quite a bit apparently.
> >>Of course, if the value of a transaction is farily small,
> >>one needs little or no security protection. But we should
> >>also take care of cases that involve substantial monetary
> >>(and/or other) values and, in the general spirit of this
> >>group, consider opponents that eventually have substantial
> >>resources at their disposal, don't we?
> >
> >
> > If there is substantial value involved, wouldn't an out of band process
> > reduce risk more than merely knowing an entity was able to pay for a
digital
> > cert containing a number of asserions which the CA usually can't
strongly
> > verify?
> > SSL certificates area common example - a couple of faxes on company
> > letterhead, and a follow up phone call will result in a verisign cert
being
> > issued in the name of almost any web site to the requester, regardless
of
> > the true web site owner's wishes.
> > Having done the process multiple times (legitimately), thats all the
process
> > breaks down to - I have not done this illegitmately, for obvious
reasons.
> >
> > The entire process and certificate lifecycle must be trusted, by
everyone,
> > for PKI to produce the mythical trust it is supposed to have.
> > trust between 2 partiers is a lot easier than instant mutual trust
between
> > several million individuals and several thousands of companies and
> > government agencies.
> >
> > The PKI process and the underlying concepts are flawed - so lets not
waste
> > real-world time on trying to build workable X.509-based ones - the term
is
> > an oxymoron.
>
> You could always have out-of-band processes. But then you
> could even downright revert to the traditional may of doing
> transactions, via ordinary mails and manual signatures and

Well, all sucessful ecommerce business rely on some traditional or out of
band process to reach the consumer, and generate trust thats as good as
their last customer interaction - the benchmark that must be met.
Online advertising suck as a way to reach customers. Besies, who knows
where the adertising content comes from, and who ultimately benefits if
someone does click thru the ad? SSL site authenticaiton is so flawed to un
unreliable in large mass markets with the lowest cost browsers, so it cannot
be relied upon without acepting tangible levels of risk.

> the whole discussion around PK would be unnecessary for us,
> right? On the other hand, you mentioned Verisign cert above.
> Isn't there a certification process involved? (If you happen
> to know that in some details, please kindly give a sketch of

A fax or 2 on company letterhead, a few phone calls, and hey presto, a CA
will issue a cert for a domain, regardless of who the true requester is.

> it, since I have no concrete knowledge of that.)
>
> M. K. Shen
>

• Previous message: Simon Johnson: "Re: Hacking the DMCA with encryption"
• In reply to: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
• Next in thread: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
• Reply: Mok-Kong Shen: "Re: New Method for Authenticated Public Key Exchange without Digital Certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]