when a fraud is a sale, Re: Rubber hose attack

[Rick Smith at Secure Computing]

At 11:01 AM 11/5/2001, JohnE37179 at aol.com wrote:

>The problem with all authentication technologies in use today from 
>biometrics to PKI to digital certs, all finesse the identification process 
>and push it off to some "trusted" third party...all without clearly 
>defining what that third party must bring to the table.

Perhaps this is why I'm expecting PKI to flourish primarily within 
enterprises that run their own CAs as opposed to third parties, at least in 
the near term.

Although a few third party credit card vendors got things started decades 
ago, credit cards didn't really blossom until after a period in the '60s 
and '70s during which many/most individual enterprises issued their own 
cards. This allowed the enterprises to learn by themselves what the costs, 
risks, and rewards were. They had the opportunity to decide for themselves 
what risks to take and directly experience the results. Only after the 
enterprises developed this internal awareness of the real implications of 
such cards could they understand the system well enough to know what it 
meant to sign up with Visa, MC, or one of the other big names. At least, 
that's my reading of the history, and how it might apply to PKI or other 
authentication technologies.

It seems to me that the concept of identity is application specific (and 
thus enterprise specific in a sense), which makes it tricky for an 
'authentication vendor' to try to provide a general 'identity' solution 
except maybe through 'AAA' products.


Rick.
smith at securecomputing.com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com