Re: Interim signing of the root zone.

[Brad Knowles <brad.knowles@skynet.be>]

At 11:28 PM +0859 2002/10/23, Masataka Ohta wrote:

>  The real world does not need PKI.
>
>  People pay with credit card, not because of PKI, but because
>  credit card campanies give credentials to their customers.

	The credit card companies lose billions of dollars a year due to 
fraud.  They want more secure transactions than most anyone else in 
the world, and they are paying *BIG* bucks to make it happen.  And a 
KI or PKI is a critical part of that task.

	Are you willing to have your startup risk billions of dollars a 
year because you didn't secure the transactions, but you guarantee 
them anyway?

>  Shared key cryptography with long and random enough keys is simply
>  secure regardless of the number of the users.

	Shared keys that long and random can't be remembered by users, 
and there has to be some sort of KI to support them.

>  Your argument should be that, public key cryptography is insecure
>  because it relies on the security of transactions of shared key
>  cryptography which is '"secure" as an inverse power of the numer of'
>  transactions which have the shared keys exchanged through PKI for
>  so may transactions,

	Shared key transactions are a critical part of public key 
transactions.  The public key part is just enough to allow you to 
securely exchange shared session keys which then automatically go 
away.

	The problem is with persistent shared key cryptography.

>  Fortunately, in the real world, no one needs PKI.

	Maybe they think they don't.

>  Over the real world Internet, people are already paying on line with
>  credit cards, because credit card companies are giving credential to
>  their users through the direct relationships between the credit card
>  companies and the users.

	How many users are willing to buy things over the net that aren't 
secured with SSL?  Well, any use of SSL is using public key 
cryptography, and needs a PKI.

	If you're willing to use credit cards without securing the 
transaction, then feel free to share your credit card numbers on this 
mailing list.

>  You can't use your credit card for your shopping, if the shop you are
>  paying for can not communicate with a credit card company to
>  authorize your credential information, for which PKI is useless.

	How the hell do you think they authorize the card?!?

	Just what does the word "authorize" mean in your dictionary, anyway?!?

>  Moreover, best effort communication over the Internet is basically
>  free that no one really want to reduce the need for the realtime
>  communication.

	Feel free to turn off all use of SSL, TLS, ssh, etc... on all 
your computers.

>  On the other hand, credit card companies or any other entities are
>  giving credential to their users through direct relationships between
>  the entities and the users. They can exchange and are already
>  exchanging shared keys through the direct relatiohships.

	And how do you think those direct relationships are handled in 
the first place?!?

>  Nothing is different on (in)secure DNS that there is no point on
>  signing the root zone.
>
>  The real world does not need PKI nor secure DNS.

	Feel free to give us your social security number, your credit 
cards, and all your other personal data.

	If you're not willing to do that, then please share with us how 
you are going to secure any transaction that uses this kind of 
information.  Moreover, please explain how you are going to do that 
but *not* using SSL, TLS, ssh, or any other form of encryption.

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.