CFP: PKI research workshop

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Wed Dec 26 16:36:52 EST 2001 

again, why would the financial industry be interested in regressing (at
least) 30 years to a certificate-based offline model?

they do authentication of transactions that they also need to do
authorization for ....  in a model that has prior business relationship
between the parties. certificate-based PKI were targeted at offline email
genre of the early '80s and analogous to the offline credit-card model
pre-70s.

in addition to the x9.59 for all electronic payment transactions ... it is
possible to extend online authentication where the institution possibly
isn't also responsible for the authorization (and/or access privileges)....
things like FAST projects in FSTC:
http://www.fstc.org/projects/fastaggregation.cfm




ray dillinger <bear at sonic.net> on 12/26/2001 12:31 pm wrote:


In fact, that may be exactly it.  PKI, as espoused by vendors,
once established, will become an indispensable monopoly, like
AT&T before the breakup. Investors love the fantasy of buying
a kajillion shares for cheap today and then having them be
shares in an indispensable monopoly next year, so they are
inclined to believe.

The problem is that none of the vendors are offering anything
that someone who has significant volume (like a financial-services
company might) cannot provide for themselves.  The FS companies
can easily wait to adopt, because the margins offered by PKI are
fairly small and the initial investment required is fairly large.
Perhaps the margins will remain too small until royalty payments
can be eliminated entirely (until any patents expire) and the
FS companies can roll their own.  Whether or not the margins
are too small, The FS companies can wait that long easily.

But the PKI vendor cannot wait.  S/he will be out of business
in three or four years if nobody adopts.  The patents will be
for sale then much cheaper than the royalty payments s/he is
offering, and the FS negotiator across the table knows it.  The
PKI vendor therefore is going to get the worst end of the deal
every time s/he goes to financial services vendors, because s/he
is not dealing from a position of strength, and had best learn
the harsh lesson sooner rather than later.

A PKI will happen, eventually, but nobody is going to get into
a position where the financial-services sector depends on them
and has to pay them.  That's as fundamental in business as the
second law of thermodynamics in physics, and chasing the dream
of becoming an indispensable monopoly to the financial services
sector promises to be as frustrating to the seekers as the quest
for a perpetual motion device.

                                          Bear







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list