On Monday 23 May 2005 21:09, Anne & Lynn Wheeler wrote: > Taking one billion internet clients as first order approximation to > estimated SSL domain name certificate relying parties ... then gross, > first under approximation to required number of such contracts would > be 50 billion individually signed contracts.
Etc etc ad nauseum. This is one of the confused goals of SSL / PKI / HTTPS - is it for credit card protection or not? If it is (and let's extend this to online banks) then the relying parties have to get something from it, such as an ability to sue any time they get ripped off. Yet this can't happen because the rip-off-ee or victim has no contract relationship with the one offering the contract. If not, then there is no need to get all worried and retentive about who or what or how SSL is used in secure browsing. It should be there for all those non-contractual parties to get in and do it. But that's clearly not the case because no user can turn on SSL just because they desire it, and a server has to enter a contractual relationship to turn it on, even though the relying parties don't benefit from that contractual relationship, and as a practical matter, the paying contractual parties don't have a contract worth a damn either. In sum, it's a structure that does not deliver because it has an internal conflict in its goals and target user base. It serves neither properly. So it does not grow. Those that want and need the privacy protection find it too expensive, so they ignore it, and those that want and need the contractual protection can't get it so they ignore it. Only those in some field where their standards are set by other agencies can we find use of the product. As an observation, what's happening on the litigation front suggests that the scene is now set for this conflict of goals to be tested in court. There are now 4 separate thrusts in litigation testing the assumptions of Internet security (two of these are not public). Which means that patience is exhausted, and what is presented as security is no longer taken at face value. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
