1996-06-29 - Re: CIA Fears UmpTeen InfoNukes

Header Data

From: frantz@netcom.com (Bill Frantz)
To: Rick Smith <cypherpunks@toad.com
Message Hash: 835b463d2f5b0db7c94df0017f558a507f06675c2e07e6874281491a6b24f9be
Message ID: <199606281920.MAA12136@netcom7.netcom.com>
Reply To: N/A
UTC Datetime: 1996-06-29 02:06:05 UTC
Raw Date: Sat, 29 Jun 1996 10:06:05 +0800

Raw message

From: frantz@netcom.com (Bill Frantz)
Date: Sat, 29 Jun 1996 10:06:05 +0800
To: Rick Smith <cypherpunks@toad.com
Subject: Re: CIA Fears UmpTeen InfoNukes
Message-ID: <199606281920.MAA12136@netcom7.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 10:51 AM 6/28/96 -0500, Rick Smith wrote:
>frantz@netcom.com (Bill Frantz) writes:
>>I think that backward compatibility requirements are a significant part of
>>the reason we see this problem.  The other part is, of course, that there
>>is no market for security.
>
>...
>
>The requirement isn't "backwards compatibility," the requirement is
>that people get their work done. If the security threat keeps them
>from getting their work done, then backwards compatibility is no
>longer a major requirement.

Absolutely.  However, from a vendor's point of view, customers have a wide
range of security problems.  Some run in an open environment and have no
use for security.  They may still be using those VT100s.  These are the
customers the vendor considers when thinking of backwards compatibility.


>>The ideal situation for them would be to use public key authentication
>>because it would be entirely user-transparent. ...
>
>Nonsense. The mere fact that it's not currently deployed guarantees
>that it won't be user transparent. Vendors will include it on some
>rewrite of whatever software it's embedded in. Memory requirements go
>up and delays are introduced when the crypto computations are
>performed. Security will be added only if it gives customers more
>things they can do, so there'll be other functional changes as well.

There are several "users" at issue.  I fully agree that those
administrators responsible for upgrading the software and hardware for the
change will notice.  The people who have to pay for it all should also
notice.  But the actual end user may find the logon simplified.  If is
sufficent to mearly identify the machine and not the person, then the new
software can eliminate end user involvement in the logon.  The
administrator is responsible for installing the private key in the machine
and the end user never sees it.

On the other hand, if users still must be identified, it is possible to
give them a logon interface which is unchanged from the old,
non-one-time-password, interface, while still giving them the benefits.


-------------------------------------------------------------------------
Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA







Thread