invoicing with PKI

Hadmut Danisch hadmut at danisch.de
Mon Sep 1 13:17:55 EDT 2003 

On Mon, Sep 01, 2003 at 12:23:28PM -0400, Ian Grigg wrote:
>
> The dream of PKI seems to revolve around these major areas:
> 
>   1.  invoicing, contracting - no known instances
>   2.  authentication and authorisation - SSL client
>       side certs deployed within organisations.
>   3.  payments
>   4.  channel security (SSL)
>   5.  email (OpenPGP, S/MIME)
> 
> In terms of actual deployed PKIs, the only significant
> cases that I know of, deployed outside of organisations
> and in widespread use are:
> 
>    HTTPS (141k, see below), and
>    OpenPGP ("millions" says PGP Inc, so let's call it 100k or so).
> 


The reason I was asking is: I had a dispute with someone who
claimed that cryptography is by far the most important discipline
of information and communication security, and that its transition
from an art to a science was triggered by Shannon's paper in 1949
and the Diffie/Hellman paper in 1976 (discovery of public key
systems).

Reality is different: While Firewalls, Content Filters (Virus/Spam/
Porn filters), IDS, High availability systems, etc. become more and
more important, encryption and signatures, especially based on PKIs, 
don't seem to get more relevant (except for HTTPS/TLS).

There was an interesting speech held on the Usenix conference 
by Eric Rescorla (http://www.rtfm.com/TooSecure-usenix.pdf, 
unfortunately I did not have the time to visit the conference)
about cryptographic (real world) protocols and why they failed
to improve security. From the logfiles I've visited I'd estimate
that more than 97% of SMTP relays do not use TLS at all, not
even the oportunistic mode without PKI. 

I actually know many companies who can live pretty well and secure
without cryptography, but not without a firewall and content filters.
But many people still insist on the claim that cryptography is by far
the most important and only scientific form of network security.

<provocation>
Is cryptography where security took the wrong branch?
</provocation>

regards
Hadmut

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list