towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

[Anne & Lynn Wheeler]

On 08/27/2010 12:38 AM, Richard Salz wrote:
> (For what it's worth, I find your style of monocase and ellipses so
> incredibly difficult to read that I usually delete your postings unread.)

It is well studied. I had gotten blamed for online computer conferencing
on the internal network in the late 70s and early 80s (rumor is that when
the executive committee became aware ... 5of6 wanted to immediately
fire me ... supposedly there was only one holdout).

somewhat as a result, there was a researcher paid to sit in the back of
my office for nine months, taking notes on how I communicated, face-to-face,
telephone, computer ... got  copies of all incoming and outgoing email,
logs of all instant messages, etc. Besides being a corporate research report,
it was also the basis for several papers, books and stanford phd (joint
between language and computer AI). One number was that I avg. electronic
communication with 275 different people per week for the 9month period.
lots of past posts mentioning computer mediated communication
http://www.garlic.com/~lynn/subnetwork.html#cmc

in any case, we were brought in to help wordsmith the cal. state
electronic signature legislation. the certification authority industry
was heavily lobbying (effectively) that digital certificates had to
be mandated for every adult.

The certification authority industry, besides doing the SSL domain
name digital certificates were out pitching to wall street money
people a $20B/annum business case (basically all adults with
$100/annum digital certificate). Initially they appeared to
believe that the financial industry would underwrite the certificates.
The financial industry couldn't see the justification for
the $20B/annum transfer of wealth to the certification authentication
industry. There were various attempts then to convince consumers
that they should pay it directly out of their own pocket.
in payment area, they were also pitching to the merchants that
part of deploying digital certificates infrastructure, the burden of
proof in digitally signed payment transactions, would be switched
to consumers (somewhat like UK where approx. that has happened as
part of payment hardware tokens).

That netted out to consumers paying $100/annum (for digital certificates),
out of their own pocket, for the privilege of having the burden
of proof in disputes shifted to them. that didn't sell ... so there was
heavy lobbying all around the world wanting gov mandating digital
certificates for every adult (payed for by the individual). The lawyers
working on the cal. legislation explained why digital signatures
didn't meet the criteria for "human signatures" (demonstration of human
having read, agreed, authorizes, and/or approved) needed by
electronic signature legislation. we got some patents in the
area, the 32nd just granted on tuesday, they are all assigned,
we have no interest and have been long gone for years.

There are a couple issues with new technology uptake ... much
more successful when 1) there is no incumbent technology already
in the niche and 2) there are strong champions with profit
motivation and 3) there is at least some perceived benefit.
In the 90s, I would pontificate how SSL domain name
certificates didn't actually provide any significant
security ... but were "comfort" certificates (for consumers),
aka benefit was significantly a matter of publicity.

Better solutions that come along later don't necessarily win
... having incumbent to deal with and are especially at a
disadvantage if there aren't major champions (typically
with strong profit motivation).

-- 
virtualization experience starting Jan1968, online at home since Mar1970

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com