Maybe It's Snake Oil All the Way Down

Wed Jun 4 19:58:47 PDT 2003

At 04:25 PM 6/4/2003 -0700, James A. Donald wrote:
>     --
>Everyone in America has several shared secrets identifying them
>-- the number of the beast to identify them to the state, and
>their credit card numbers identifying them to various financial
>institutions, plus a hundred passwords to  login to their
>email, their bank, their network provider, e-gold, etc.
>
>The PKI idea was that we would instead use PK in place of
>shared secrets, but if an ordinary person had a private key,
>what could he use it for?
>
>The spam that seeks to get us to login to e-g0ld and the
>BankOf4merica.com works because the logins are based on shared
>secrets, not private keys, and the networks are setup to rely
>on shared secrets because there is no practical alternative.

one could claim that public-key is a practical alternative but it got 
significantly sidetracked with independent business model that wanted 
extract huge amount of money out of existing infrastructures (say totally 
brand new independent operations wanting $100/annum for every person, 
extracted from the existing infrastructure for no significant positive 
benefit ... aka say 200m people at @$100/annum is $20b/annum ... in return 
for some abstract bit vapor that doesn't change any core business issue).

it is relatively trivial to demonstrate that public keys can be registered 
in every business process that currently registers shared-secrets (pins, 
passwords, radius, kerberos, etc, etc).  the issue then becomes one of cost 
to change/upgrade those infrastructures to support digital signature 
authentication with the stored public keys in lieu of string comparison (no 
new business operations, no new significant transfer of wealth to brand new 
outside business entities, etc).

however, think about even these simple economics for a minute .... even for 
relatively modest technology changes that don't change any of the business 
processes/relationships ... it still costs some money ... and the 
beneficiary isn't the institution, it is the individual. The individual has 
the paradigm changed from hundreds of shared-secrets to a single key-pair 
... however each institution continues to see just as many individuals and 
account records. From a very practical standpoint ... entities don't 
frequently fund things that they don't benefit from ... and typically most 
success is achieved when the entity that benefits from the change is also 
driving/funding the change.

the issue is to find out how the individual pays for the change .... or 
figure out how the institutions are going to benefit.
--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm