[792] in cryptography@c2.net mail archive
Re: Clinton Admin. to announce new Crypto regs
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sat May 10 14:02:57 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <3.0.32.19970509141336.006ebccc@postoffice.worldnet.att.net> from Will Rodger at "May 9, 97 02:13:40 pm"
To: rodger@worldnet.att.net (Will Rodger)
Date: Sat, 10 May 1997 11:06:58 -0400 (EDT)
Cc: cryptography@c2.net
Will Rodger wrote:
|
| > Netscape is PC banking software.
| >
| > SSL is the banks encryption tool of choice because it saves
| >you from having to write or support custom software.
|
| As does SET - its apparent successor.
As far as I know, SET is designed for credit cards, not
banking. It may be possible to do real banking on top of SET, but I
don't believe its optimised for it in any way.
Some other comments on SET. SET is awfully slow. Your merchnat
needs to do 6 RSA ops per transaction. Now, thats great for companies
like Rainbow or NCipher, who make accelerators, but not so great for
the merchant. SET is *way* behind schedule because of its complexity.
Its complexity makes it very hard to analyze the protocol as a whole
for security problems. Those problems, should they exist, will
require wholesale overhaul of the financial system, because there will
only be 3 (4?) allowed implementations of SET. If one of them has a
problem, you'll need to replace *lots* of software. SET is designed
to address a problem thats perculiar to credit cards, which is the
card not present sort of fraud issuers hate talking about. Banks may
not care about that for letting you manage your checking account.
So, while SET may get deployed because it addresses a real
problem of the credit card industry, it does not address a retail or
commercial banks concerns, except incidentally. The cost and
complexity of implementing SET means that something else will probably
win for retial banking. I expect that something to be a browser,
possibly using the digital signature capabilities of their mail tools.
| > Claiming that this helps a retail operation is newspeak.
|
| Netscape seemed to like it. Talk to them.
Netscape has been awfully focused on the retail merchant
problem, becuase its easier to handle than creating net to cheque
clearing gateways. But credit cards are expensive (2-4% of your
products cost), and cheques are cheap. Digicash and other such may
also be cheaper, which will help to push credit cards out of the
picture, and make SET less relevant to Netscapes online commerce
model.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
