"Anders Rundgren" <[EMAIL PROTECTED]> writes: > Replacing the _indeed_ stale cert info with a stale signed account > claim would not have any major impact this scenario except for a few > saved CPU cycles. > > SSL is by no means perfect but frankly; Nobody have come up with a > scalable solution that can replace it. To use no-name certs is not > so great as it gives user hassles
i got to do some amount of the early work on the original aspects of SSL deployments ... so we went thru almost all these issues over and over again when we were doing it originally now for a small topic drift ... slightly related posting http://www.garlic.com/~lynn/2005i.html#33 Improving Authentication on the Internet in the above ... fast could have certificateless, digitally signed transactions approving the operation. in much the same way that x9.59 transactions http://www.garlic.com/~lynn/index.html#x959 could be certificateless and digitally signed ... fast transactions could involve matters other than approving a specific amount of money (i.e. standard payment transaction getting back approval that the issuing institution stood behind the amount of the transaction). in much the same way that an x9.59 transaction wouldn't be viewed valid unless the corresponding digital signature correctly verified ... the requirement to have the subject's digital signature on other types of requests would also serve to help protect their privacy. the fast age thing was of interest ... because it eliminated having to divulge birthdate (an identity theft issue) while still confirming whether a person was an adult or wasn't an adult. There was also some fast look at zip-code verification in addition to age verification. Some number of people were proposing certificates could follow the driver's license offline credential model ... and that anything that might be on a driver's license (and more) would be fair game to put into a certificate. This overlooked the fact that driver's licenses were really offline paradigm credentials ... and as the various relying parties acquired online connectivity ... there was less & less a requirement for information content on the driver's license itself (it could migrate more to the relying-party-certificate model with little more than an account number to the information in an online repository ... little things like aggregated information ... number of outstanding parking tickets ... etc). the "fast" issue (especially age verification, not actually age ... just yes/no as to being an adult) for the financial institutions was that while quite a bit of money is being made by the online age verification services (... and there is almost no incrmental costs needed to add such an option to the existing 8583 infrastructure and giving internet access) most of the money flow into the age verification operations comes from a segment of the internet market that many find embarrassing ... and as a result many financial institutions are ambivalent about being involved. -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
