Secret Key protection (was Re: PKI creed)

Brian Gladman ukcrypto at maillist.ox.ac.uk
Sun, 17 Sep 2000 10:30:27 +0100 

From: "John R T Brazier" <prunesquallor@proproco.co.uk>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: Saturday, September 16, 2000 10:46 PM
Subject: RE: Secret Key protection (was Re: PKI creed)


>
> Carl Ellison/Brian Gladman said:
>
> > If we plot such security measures versus time and look at the trend, we
> > don't see computers becoming more secure over time -- they become less
> > secure.  What market force will change that (especially since the market
> > (the consumer) hates security(*) and wants nothing to get in the way
> between
> > him and his dancing pigs)?
>
> I can only agree with you. In my view e-commerce will grow in spite of the
> difficulties and my hope (maybe an unrealistic one) is that as fraud grows
> with it, the 'group' carrying the cost of this fraud will push for
improved
> security.
>
> Could I possibly suggest (with some evidence if you wish me to give it)
> that, in fact, no-one really gives a toss about credit card fraud? We live
> in a society where governments appropriate 40%+ of GNP to spend on their
own
> requirements (some useful to society, many not). Given the relatively high
> efficiency of Western businesses in generating wealth, credit card fraud -
> even if it is 40% on the Internet - is absorbable as long as the growth in
> business is fast enough. To give a simple parallel, the attrition of
British
> slave ships was around 50%, yet the growth in the trade bankrolled the
> British Empire.
>
> Therefore, a lot of the wittering about security is actually misplaced:
the
> movement of large volumes of money is more important than insuring it all
> gets to the right place.
>
> Could my detractors please form an orderly queue ...
>
> All the best,
>
> John B

I agree that the level of fraud we have seen in the past has not worried the
banks, the merchants or governments.  But, in my view, widespread e-commerce
in the presence of the lack of security that currently exists will provide
scope for fraud on a scale that it will be difficult to ignore.

Whether the reaction is a sensible one is much less certain though.  I read
in the paper today that Charles Clarke is worried about this - in view of
the GAK in RIP disaster I wonder what we are now in for?

   Brian