the limits of crypto and authentication

Pat Farrell pfarrell at pfarrell.com
Thu Jul 14 11:59:36 EDT 2005 

On Thu, 2005-07-14 at 18:43 +0200, Amir Herzberg wrote:
> Pat Farrell wrote:
> > 
> > As I recall, the goal of SET was to have a standard
> > that was not invented by CyberCash. (I may be biased, I
> > worked at CyberCash at the time).

> This is incorrect. The main politics around SET was the artificial 
> `merger` of iKP (from IBM & Mastercard) and STT (from Visa and MS). As 
> far as I remember, CyberCash were involved but choose not to. They also 
> did not disclose their protocol like the other proposals. I may be wrong 
> about the CyberCash role,

CyberCash protocols were defined in RFCs. The RFCs
are probably still out there, altho no longer in use.
The other two protocols were defensive against CyberCash
and it looked like there would be three non-interoperative
protocol suites. The invention of SET was a marriage of
convience. CyberCash had 15000 merchants, it isn't important now,
but I'd love to know the number of non-pilot SET merchants
in the wild.

I was the project manager for CyberCash's project implement
SET as a joint venture with Netscape, Toshiba and Visa.
And I wrote the crypto code.

At one of the early SET committee meetings, someone from
CyberCash proposed that SET simply use the RFC'd protocols.
I expect that the offer was not made with proper political
tact.

As others have said, and in the spirit of the subject
of this thread, SET failed for many reasons, many
of them economic. There was little effort made
to bribe the merchants, I think there was talk of
a 26 basis point change in the discount rate,
which the banks thought was huge and the merchants
thought was noise. What really killed it
was the billions it would have cost all
the banks to issue and manage all the
certificates.

The crypto in SET was fine. The use of
certificates was excessive but in line with
PKI thinking of the time.

The problem was that it was a very expensive sledge hammer
to kill a flea.

In retrospect, there was over reliance on crypto and
confusion of identity and authentication
contributed, but others were making the same
mistake.

We just have to be smarter now, nearly a decade later.
Crypto has to solve business problems that masses of
real people have.


-- 
Pat Farrell
http://www.pfarrell.com



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list