when a fraud is a sale, Re: Rubber hose attack

Rick Smith at Secure Computing rick_smith at securecomputing.com
Mon Nov 5 12:24:06 EST 2001


At 09:49 AM 11/5/2001, JohnE37179 at aol.com wrote:

>I tend to agree with you that we should extend the meaning
>of end-to-end to mean user-to-user, instead of device or
>token-to-token.

I'm not sure what this means.

If we get really specific, then a transaction between me and
a small used-book seller consists of a transaction between
individual humans, but my transactions with Amazon involve
an abstract entity represented by teams of humans. Presumably
my latest transaction still proceeds even if the first person
to process it at Amazon quits before the package is shipped.
That's not so clear if the bookseller drops dead.

If we look at authentication as an engineering problem, then
you can only 'authenticate' between entities that share some
fairly complex secret information. Anything else can be spoofed
pretty easily. I don't think it's practical to speak of strong,
network based authentication between 'users' unless we tie them
to physical devices that store those secrets (private keys, etc.).

Of course, this distinction simply illustrates the gap between
our policy objectives (authenticate particular roles and/or
entities) versus the available tools (verify ownership of hard
to forge credentials).


Rick.
smith at securecomputing.com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list