[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: first virtual "security" (!!) (was Re: Security Flaw Is Discovered InSoftware Used in Shopping)
Excerpts from mail.fv: 22-Sep-95 Re: first virtual "security.. Jiri
[email protected] (1560*)
> > >financial insecurity never was a problem as
> > >long as it remains under a small %.
> >
> > This is an amazing statement, Laurent.
> It's not an amazing statement. As long as the cost of insecurity is
> less than cost of security, there's no problem.
I think the basic confusion here is precisely about the cost.
The cost of having one credit card stolen is small.
The cost of having millions stolen at once is *astronomical*. It really
could bring down the whole credit card system, if that was the
criminal's goal.
My concern is about schemes in which the compromise of the cryptographic
algorithms or software leads to a scenario in which one criminal steals
millions of credit cards. In such a scenario, the cost of insecurity is
unacceptably high.
> Okay, so what's stopping you from starting right now with PGP?
> You could simply have that as an alternative to the current system
> (on a per-ID basis, ie new customers specify PGP or not).
> Quite a few people both have PGP and would think well of you if you
> started using it.
> How about "The safest Internet payment system just got safer."?
We're definitely moving in this direction. It's more complicated than
you make it sound, though. Personally, I don't want to use any
cryptography without an explicit, clear, policy and mechanism for key
expiration and key lifetimes. The risk of key compromise is directly
proportional to the key lifetime. PGP today -- which we use very
heavily internal to FV -- is not well-equipped for dealing with key
management issues on a scale of millions of users.
Now, having said that... we're currently planning to deploy FV version
2 before the end of the year. Version 2 *will* include the first use of
PGP in the FV system, but it will NOT work the way you probably expect.
Stay tuned! -- Nathaniel
--------
Nathaniel S. Borenstein <[email protected]> | When privacy is outlawed,
Chief Scientist, First Virtual Holdings | only outlaws will have privacy!
FAQ & PGP key: [email protected] | SUPPORT THE ZIMMERMANN DEFENSE FUND!
---VIRTUAL YELLOW RIBBON-->> [email protected] <http://www.netresponse.com/zldf>