Diane,
Here's a pretty good article by Rik Farrow about SSL: http://www.networkmagazine.com/article/NMG20001219S0006
Have them take a look at what some researchers in the Netherlands did to 512bit encryption: http://www.nwfusion.com/news/1999/0827crack.html
and I'd get a copy of the Deloitte / ISCA report on e-commerce security best practices. See: www.isaca.org/ecomm-e1.htm
You also might look around the W3C site (http://www.w3.org/Security/Faq/wwwsf3.html), SANS, SecurityFocus and SecurityPortal for related articles.
Hope this helps!
-- Bill Stackpole, CISSP
| "Diane Wood" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 05/07/01 01:05 PM
|
To: <[EMAIL PROTECTED]> cc: Subject: 128-bit encryption battle with sales force |
Can anyone help me with published references clearly stating that 128-bit encryption and 1024-bit certificates are recommended in an e-commerce solution? Or, in opposition, something that explicitly states that 40-bit is a respectable/secure choice for e-commerce?
I have enabled strong encryption on our current e-commerce website and inadvertantly started a major battle between our vendor sales manager and myself. The vendor is concerned they are losing potential customers (money) with the 128-bit requirement, and claiming to my management that I am being too paranoid.
My management is siding with the sales force and I've been told to roll encryption back to 40-bit unless I can substantiate my claim that strong encryption is required to be industry standard for online e-commerce solutions.
Any help would be greatly appreciated!
Thanks,
Diane Wood
Internet & Network Security Services
Florida Department of Highway Safety & Motor Vehicles
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
