Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Parry Aftab;

What do you suggest short of an absolute guarantee?

Common senses.

How do I advise consumers to tell the difference between legitimate
e-mails with embedded links and the phished ones using spoofed sites?


What if, you go to a branch office of a bank and, in a lobby of the
bank, hand a 1M USD of cash to some person whom you don't know but
who claims to be a personnel of the bank?

I am concerned that this could seriously undermine the use of e-mail and
websites for e-commerce and financial transactions.

Exactly.

Who said e-mail and websites are useful for e-commerce and
financial transactions with absolute guarantee?

They are only as trustworthy as e-commerce and financial
transactions over e-phones (note that most phones are
electric).

If some reseachers of cryptography have convinced you
differently, it is merely that they are more elegant
in deceiving you than most spammers.

If you want to use cryptographic technology, shared
secret cryptography works. That is, you share long
enough secret directly with a bank and have a transaction
with challenge and response authentication, the transaction
is as reliable as a bank personnel you directly know.

However, PKI does not help e-commerce or financial transactions,
as discussed in my recent paper: "Meaninglessness of Public
Key Cryptography for Authentication on Consumable Credential"
(presented in Japan in Japanese):

	Abstract: For electric transactions, the essential benefit
	of public key cryptography over shared key cryptography is
	that it is not necessary to communicate with Certificate
	Authority on each transaction. However, it is meaningless
	to use public key cryptography for authentication on
	consumable credentials, such as authentication of remaining
	credential in account for electric payment, as fraud with
	tremendous damage is easily performed, unless communication
	with authorities to manage the account decrease remaining
	credential is required on each transaction.

The problem of PKI without realtime management of remaining
credential is that an attacker can use 1K USD worth of certs
from 1000 different locations for 1000 seconds 1000 times a
second, total amount of damage of which is 1T USD.

Credential can be created only with direct communication.

Masataka Ohta



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]