--
From: Henry Sinnreich [mailto:[EMAIL PROTECTED]]:
> > Am not sure such complexity is jutified for phone calls having the
> > cost close to e-mail.
At 10:10 AM 9/1/2000 -0500, Brian Stucker wrote:
> Cheap or not, do you really want to start chipping away at the image
> that people have that a phone call is ubiquitous, reliable, and
> (relatively) secure transaction in their minds? It took decades > of
> marketing and technical performance to get to that point, why not
> try to maintain that in the future?
Possibly you understood Henry Sinnreich as referring to the computational
cost of preventing offline dictionary attacks.
I understood him to be referring to the user experience.
The user experience should of course be unaffected by the defence against
dictionary attack, if that defense is correctly implemented, but he is
correct to claim there is a computational cost,
In the scheme I described, there is one public key operation per pair of
entities interacting, per logon session, not several public key operations
per interaction.
Several public key operations per interaction would indeed be an
unacceptable expense. One public key operation per pair of interacting
entities per logon session, not per message, is unlikely to be a
significant expense.
A single https web page takes many public key operations, typically eight
to twelve per web page, and this has been a significant, but tolerable,
barrier to the deployment of https.
To implement security at a cost similar to that of https would indeed be an
unacceptable cost, because of the large number of very small interactions
we expect. The proposal I described was designed to minimize the cost of
public key operations, to keep them to a level much lower than those of https.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
F4BXeae+tmDuVH7AGWuWikXT20fqIq6Narhv2/0C
4gHoCmYD2HS/uDHpSCaIQuLuU707H/TjqyEoPD2s1
