Is cryptography where security took the wrong branch?

Ian Grigg iang at systemics.com
Sun Sep 7 15:14:06 EDT 2003


Eric Rescorla wrote:
...
> > The other thing to be aware of is that ecommerce itself
> > is being stinted badly by the server and browser limits.
> > There's little doubt that because servers and browsers
> > made poorly contrived decisions on certificates, they
> > increased the overall risks to the net by reducing the
> > deployment, and probably reduced the revenue flow for
> > certificate providers by a factor of 2-5.
> I doubt that. Do you have any data to support this claim?

Sure.  SSH.

It's about take up models.  HTTPS'
model of take-up is almost deliberately designed
to reduce take-up.  It uses a double interlocking
enforcement on purchase of a certificate.  Because
both the browser and server insist on the cert
being correct and CA-signed and present, it places
a barrier of size X in front of users.

Instead, if there were two barriers, each of half-X,
being the setup of the SSL server (a properly set
up browser would have no barrier to using crypto),
and the upgrade to a CA-signed cert, then many more
users would clear the hurdles, one after the other.

How high can you jump?  When I was young we used
to do this high jump thing, where we'd get up to
5 feet or so.

I could never do 6 feet.  I couldn't even do 4 feet
these days, but, I could do any number of 3 feet jumps.
I could probably even do a few 3 feet jumps these days.

(In that youth, we called them by feet.  These days,
a one metre jump looks more imposing...)

I'm curious.  You really think that in order to sell
certificates, the best thing is to make them hard to
use?  Is this a "quality" argument?

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list