Re: first virtual "security" (!!) (was Re: Security Flaw Is Discovered InSoftware Used in Shopping)
-----BEGIN PGP SIGNED MESSAGE----- Hello Laurent Demailly <dl@hplyot.obspm.fr> and "NSB's Portable (via RadioMail)" <nsb@radiomail.net> and cypherpunks@toad.com "NSB's Portable (via RadioMail)" <nsb@radiomail.net> writes:
At 4:32 AM 9/21/95 +0200, Laurent Demailly wrote: ...
financial insecurity never was a problem as long as it remains under a small %.
This is an amazing statement, Laurent. ...
It's not an amazing statement. As long as the cost of insecurity is less than cost of security, there's no problem. ...
We're not opposed to cryptography, by the way. There are some obvious places where the use of digital signatures could directly enhance our ...
Okay, so what's stopping you from starting right now with PGP? You could simply have that as an alternative to the current system (on a per-ID basis, ie new customers specify PGP or not). Quite a few people both have PGP and would think well of you if you started using it. How about "The safest Internet payment system just got safer."? Jiri - -- If you want an answer, please mail to <jirib@cs.monash.edu.au>. On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMGITYCxV6mvvBgf5AQGN0wP8DxZ50ZMR3H+W6LCc0vhFZ6GMrTRZPSM4 XULabVj4w59aEDUWj2wbueXaPJUMHpAgYK83oMGLtlu1Hrxzo9/SXT/WzcMUZp7q qajmCXRY9q3b+OXznTLavrF5qISlPY8NU/HbSi/nCF8kbT6eEf8rXc/uZgPCyV6j RuvE2VDWaCc= =J4iR -----END PGP SIGNATURE-----
Excerpts from mail.fv: 22-Sep-95 Re: first virtual "security.. Jiri Baum@sweeney.cs.mon (1560*)
financial insecurity never was a problem as long as it remains under a small %.
This is an amazing statement, Laurent.
It's not an amazing statement. As long as the cost of insecurity is less than cost of security, there's no problem.
I think the basic confusion here is precisely about the cost. The cost of having one credit card stolen is small. The cost of having millions stolen at once is *astronomical*. It really could bring down the whole credit card system, if that was the criminal's goal. My concern is about schemes in which the compromise of the cryptographic algorithms or software leads to a scenario in which one criminal steals millions of credit cards. In such a scenario, the cost of insecurity is unacceptably high.
Okay, so what's stopping you from starting right now with PGP? You could simply have that as an alternative to the current system (on a per-ID basis, ie new customers specify PGP or not).
Quite a few people both have PGP and would think well of you if you started using it.
How about "The safest Internet payment system just got safer."?
We're definitely moving in this direction. It's more complicated than you make it sound, though. Personally, I don't want to use any cryptography without an explicit, clear, policy and mechanism for key expiration and key lifetimes. The risk of key compromise is directly proportional to the key lifetime. PGP today -- which we use very heavily internal to FV -- is not well-equipped for dealing with key management issues on a scale of millions of users. Now, having said that... we're currently planning to deploy FV version 2 before the end of the year. Version 2 *will* include the first use of PGP in the FV system, but it will NOT work the way you probably expect. Stay tuned! -- Nathaniel -------- Nathaniel S. Borenstein <nsb@fv.com> | When privacy is outlawed, Chief Scientist, First Virtual Holdings | only outlaws will have privacy! FAQ & PGP key: nsb+faq@nsb.fv.com | SUPPORT THE ZIMMERMANN DEFENSE FUND! ---VIRTUAL YELLOW RIBBON-->> zldf@clark.net <http://www.netresponse.com/zldf>
participants (2)
-
Jiri Baum -
Nathaniel Borenstein