The Register - UK firm touts alternative to digital certs (fwd)

[Eric Murray]

On Mon, Oct 21, 2002 at 03:37:33PM +0100, David Howe wrote:
> at Monday, October 21, 2002 3:14 PM, Trei, Peter
> <ptrei at rsasecurity.com> was seen to say:
> > I'd be nervous about a availability with centralized servers,
> > even if they are "triple redundant with two sites". DDOS
> > attacks, infrastructure (backhoe) attacks, etc, could all
> > wreck havoc.
> Indeed so, yes.
> I suspect (if it ever takes off) that they will have to scale their
> server setup in pace with the demand, but to be honest I think 600/sec
> is probably quite a high load for actual payments - we aren't talking
> logins or web queries, but actual real-money-payment requests.

Looking at their web site, they seem pretty generic about
what it's for, but I did not see any mention of using it for payments.
So I assume it's for logins.

They do say that their servers are "benchmarked at 300 transactions/sec".
That's pretty darn slow for single des.  There would have to
be an authenticated and probably encrypted session between the
server accepting the login (or the merchant if it really does payments)
and the back end.  But even using SSL/TLS, which would be more
than is required but an easy component to plug in, they ought
to be able to get at least a true 1000 sessions/sec using one of the
current SSL accelerators out there.

Maybe they have a bunch of slow database lookups?  Perhaps there
is a long RTT for the check against the CIA blacklist?

If it is for logins, how many sites would be willing to let someone
else know when their employees log in?  That could be useful
competitive intelligence.

Eric