Maybe It's Snake Oil All the Way Down
Anne & Lynn Wheeler
lynn at garlic.com
Wed Jun 4 19:58:47 PDT 2003
At 04:25 PM 6/4/2003 -0700, James A. Donald wrote:
> --
>Everyone in America has several shared secrets identifying them
>-- the number of the beast to identify them to the state, and
>their credit card numbers identifying them to various financial
>institutions, plus a hundred passwords to login to their
>email, their bank, their network provider, e-gold, etc.
>
>The PKI idea was that we would instead use PK in place of
>shared secrets, but if an ordinary person had a private key,
>what could he use it for?
>
>The spam that seeks to get us to login to e-g0ld and the
>BankOf4merica.com works because the logins are based on shared
>secrets, not private keys, and the networks are setup to rely
>on shared secrets because there is no practical alternative.
one could claim that public-key is a practical alternative but it got
significantly sidetracked with independent business model that wanted
extract huge amount of money out of existing infrastructures (say totally
brand new independent operations wanting $100/annum for every person,
extracted from the existing infrastructure for no significant positive
benefit ... aka say 200m people at @$100/annum is $20b/annum ... in return
for some abstract bit vapor that doesn't change any core business issue).
it is relatively trivial to demonstrate that public keys can be registered
in every business process that currently registers shared-secrets (pins,
passwords, radius, kerberos, etc, etc). the issue then becomes one of cost
to change/upgrade those infrastructures to support digital signature
authentication with the stored public keys in lieu of string comparison (no
new business operations, no new significant transfer of wealth to brand new
outside business entities, etc).
however, think about even these simple economics for a minute .... even for
relatively modest technology changes that don't change any of the business
processes/relationships ... it still costs some money ... and the
beneficiary isn't the institution, it is the individual. The individual has
the paradigm changed from hundreds of shared-secrets to a single key-pair
... however each institution continues to see just as many individuals and
account records. From a very practical standpoint ... entities don't
frequently fund things that they don't benefit from ... and typically most
success is achieved when the entity that benefits from the change is also
driving/funding the change.
the issue is to find out how the individual pays for the change .... or
figure out how the institutions are going to benefit.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
More information about the Testlist
mailing list