Re: Why are secure web pages are so !@#$%^&*()_ slow

James A. Donald (jamesd@echeque.com)
Thu, 14 Jan 1999 08:30:11 -0800

• Next message: EKR: "Re: Why are secure web pages are so !@#$%^&*()_ slow"
• Previous message: 'Mok-Kong Shen': "RE: Mysterious faked posting in CodherPlunks"
• Maybe in reply to: Mok-Kong Shen: "Mysterious faked posting in CodherPlunks"
• Next in thread: EKR: "Re: Why are secure web pages are so !@#$%^&*()_ slow"
• Reply: EKR: "Re: Why are secure web pages are so !@#$%^&*()_ slow"

    --
At 10:16 PM 1/13/99 -0800, James A. Donald wrote:
> > [...] So all this great encryption is used to merely
> > prove possession of a shared four digit secret. Oh wow!

At 09:55 AM 1/14/99 -0500, David Jablon wrote:
> Presuming sarcasm on your part, I disagree. You've raised
> legitimate questions about when and where PK encryption is
> necessary. Personally, I see no greater purpose for PK
> encryption than to protect personal and shared secrets,
> both large and tiny.

But if we have a shared secret, then in principle we do not
need PK, and if we have permanent public keys, we do not need
a four digit shared secret.

The problem is that the bank technology for ID is far more
primitive than the browser technology for ID and security,
and the bank technology is running on top.

The great browser security system is cobbled on to the less
than great human security system.

This relates to the problem that we have to register with so
many people, have to remember so many passwords (shared
secrets). We need a browser protocol to support
registration, rather than using human memory as the
registration database. I hate registering. It is work.

> Under reasonable assumptions, PK encryption is absolutely
> essential. In order to protect a PIN code, or any small
> secret, at least one PK exchange is needed to create a
> secure session.

If we were writing software specific to the purpose, or
better if browser technology was such that it was reasonable
to use it in ways specific to the purpose of maintaining a
relationship with a secure site, if the browser took care of
this registration crap in the normal case, we could use the
PIN or the shared password to create a secure session.

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     DmLWyb+vTsnUj7O08fWUEV4zqL9HjxLIJDTZbYKR
     4vIRQvM4RRG9y1fGQnVrBi1Td7l3NYZyHp6LPbDad
-----------------------------------------------------
We have the right to defend ourselves and our property, because
of the kind of animals that we are. True law derives from this
right, not from the arbitrary power of the omnipotent state.

http://www.jim.com/jamesd/      James A. Donald

• Next message: EKR: "Re: Why are secure web pages are so !@#$%^&*()_ slow"
• Previous message: 'Mok-Kong Shen': "RE: Mysterious faked posting in CodherPlunks"
• Maybe in reply to: Mok-Kong Shen: "Mysterious faked posting in CodherPlunks"
• Next in thread: EKR: "Re: Why are secure web pages are so !@#$%^&*()_ slow"
• Reply: EKR: "Re: Why are secure web pages are so !@#$%^&*()_ slow"