[Cryptography] Toxic Combination

Anne & Lynn Wheeler lynn at garlic.com
Tue Dec 9 13:16:38 EST 2014

On 12/09/2014 01:22 AM, Dave Howe wrote:
> You would think they would go down the path of setting up their own CAs
> for that - cheaper to set up a working group between them, get a HSM
> based root, and issue signing certs to member institutions....

The CA-industry had a lot of hype about supposed need for branded
CA institution. Note that the financial organization was also being
required to register all the individuals' public keys in the account
records ... before the the 14M account records were conveyed to the
CA, where the bits would be swizzled into a digital certificate for
the small price of $100/account.

Note when the board was told about the $1.4B price, not only was
the effort shutdown (after spending $50M on pilot), but some number
were liberated from their employment.

At the time we had become quite well known for criticizing CAs.
In this case, we pointed out that every case where the CAs were
justifying a digital certificate for verifying a customer's
digital signature, the operation also involved accessing the
account record ... where the public key had been previously
been pre-registered ... as a result, in every case, the digital
signature could be verified by the previously registered public
key in the account record ... and in every case, the digital
certificate was redundant and superfluous (besides being
useless expensive expenditure).

We had also documented, in the case of digital certificates for
payment transactions ... it involved a similar scenario, in every
case the the account record needed to be accessed at some point
(where the public key had been previously registered). Furthermore
in the payment transaction case besides digital certificates being
redundant/superfluous and useless expensive expenditure, they
were also an enormous payload bloat ... digital certificate being
100 times larger than the standard payment transaction size. Somewhat
as a result, the CA industry got a "compressed certificate" work
item added to financial industry standards body. Part of the
"compression" work eliminated any field that would be available
at the relying institution. We then showed that *ALL* fields
would be at the relying institution ... and digital certificates
could be compressed to zero bytes ... rather than eliminate
all use of digital certificates, mandate that zero-byte digital
certificates be attached to every payment transaction (creating
a whole new infrastructure for the management of zero-byte digital

Possibly more than you ever want to know ... during this (internet
bubble) period we were at a financial standards meeting being hosted
in DC by a well known lobbying organization. During the meeting we were
asked to step out and taken to an office, the door was shut and
we were introduced to somebody from a NJ ethnic organization.
He said he had been asked to talk to us by some investment
bankers, it was nothing personal, purely business (investment
bankers are amoral sociopaths). The investment bankers were
expecting $2B in an upcoming (CA-related) IPO and our criticism
was predicted to have a 10% downside ($200M) ... and we should
stop our vocal criticism.

We then went to some Federal LEOs and were told that investment
bankers were like that.Many of the investment bankers involved
in the internet bubble IPO mill (put in a few tens millions, hype
for couple yrs, IPO for couple billion, and then fail, leaving the field
open for the next round of IPOs), had previous walked away clean from
the S&L mess and were predicted next to get into mortgages.

virtualization experience starting Jan1968, online at home since Mar1970

More information about the cryptography mailing list