[3536] in cryptography@c2.net mail archive
Re: SDTI, certificates, and such
daemon@ATHENA.MIT.EDU (John R Levine)
Fri Oct 23 16:55:04 1998
Date: Fri, 23 Oct 1998 13:12:00 -0400 (EDT)
From: John R Levine <johnl@iecc.com>
To: Robert Hettinga <rah@shipwright.com>
cc: cryptography@c2.net
In-Reply-To: <v04020a04b2561b978874@[139.167.130.246]>
> If in fact SDTI did have a large cash hoard, it would make it a buy even in
> Ben Graham's book. Which I said, if you remember. Okay. I inferred it.
Close enough, book is $5.28, cash is $3.87, price is 10 3/4. At that
price you could throw away the business and start something new with the
cash.
> Besides, ultimately, creating hierarchies of "certificates" of those
> key-to-person maps, ala Verisign/X.BlaBla, is not only a waste of time
> economically, it's downright logically impossible.
Hierarchies still seem to me to founder on the issue of liability. When they
start authenticating multi-million dollar transactions with these things,
who's going to be holding the bag when one of them goes bad. I'm not worried
about cracking codes with yet to be invented supercomputers, I'm worried
about sloppy key management and social engineering. And the ability to forge
million dollar transactions is worth a lot of social engineering indeed.
These six banks setting up the certificate service are certainly are a bunch
of rich guys, but how much capital are they putting into the cert service,
and how much liability are they agreeing to accept when a cert turns out to
be stolen or fraudulently obtained? If it's less than a couple of days
projected transaction volume, they're not serious.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
