From novotech@iglobal.net  Wed Sep 11 15:17:29 1996
Received: from mail.iglobal.net (mail.iglobal.net [207.43.170.8]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id PAA10891 for <best-of-security@suburbia.net>; Wed, 11 Sep 1996 15:17:25 +1000
Received: from novotechip.iglobal.net ([207.43.204.241])
          by mail.iglobal.net (post.office MTA v1.9.3 ID# 0-13371)
          with SMTP id AAA153 for <best-of-security@suburbia.net>;
          Wed, 11 Sep 1996 00:17:00 -0500
Message-Id: <1.5.4.32.19960911165053.00680d3c@lithium.geocel.com>
X-Sender: benc@lithium.geocel.com
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 11 Sep 1996 11:50:53 -0500
To: best-of-security@suburbia.net
From: Ben Camp <novotech@iglobal.net>
Subject: Re: Can you trust your ISP ?? 

Maybe people should look past port 80 and port 443 (or whatever ssl runs on)
for secure transmissions.  That's all I'm trying to say.  HTTP is a very
basic and simple protocol.  How about we look past complicating something
simple.  By doing that we create a barrier to entry for smaller software
developers who cannot afford to license encryption technology.  

Why does it seem that this is the trend.  Why is it not logical that we keep
simple protocols simple and let people use other means to practice
encryption.  Its true that the average user will get scared when "A cookie
has been sent to them", and it would be great if nobody ever had to accept
them.  People however are basing software on the idea that the user either
has the warning screen disabled or does care.  

Nothing can compete with the security someone gets when they call and hear a
live person who takes their credit card number and tells them the order will
get to them.  That's a major problem, but not one that needs to be solved by
https or s-http.

Its too late again.

Ben Camp


>X-Disclaimer: THE COMMENTS CONTAINED IN THIS MESSAGE REFLECT THE VIEWS OF THE
>                         WRITER AND ARE NOT NECESSARILY THE VIEWS OF
>                                 FEDERAL EXPRESS CORPORATION.
>To: Ben Camp <benc@geocel.com>
>Subject: Re: Can you trust your ISP ?? 
>Date: Tue, 10 Sep 1996 11:36:44 -0500
>From: William McVey <wam@fedex.com>
>
>Ben Camp wrote:
>>Any sort of Certificate authority based protocol is dumb.  It's like RSAC
>>charging 500 bucks for rating a web site.  Nothing anyone does on the web is
>>important enough to encrypt.  
>
>Perhaps what you are explaining is a chicken and the egg problem.  Perhaps
>the reason nothing of enough importance is being done on the web is because
>we don't yet have the adequate security infrastructure to do it correctly.
>That's not to say there isn't plenty of stuff waiting for adequate security
>controls to allow important web based applications to work.
>
> -- William
>
>