[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

To: <martin.rex@xxxxxxx>, "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
From: "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 15:54:42 -0500
Cc: tls@xxxxxxxx
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <200701102032.VAA12262@xxxxxxxxxxxxxxxxxxx>

see inserted:
----- Original Message ----- 
From: "Martin Rex" <martin.rex@xxxxxxx>
To: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Cc: <tls@xxxxxxxx>
Sent: Wednesday, January 10, 2007 3:32 PM
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<


> Stefan Santesson wrote:
> >
> > The proposal can provide a relatively simple mechanism to
> > authenticate events, such as agreements, conducted over a TLS session
> > and there is no working, off the shelf, alternative solution available
> > today that works cross platforms.
> >
> > Example scenario:
> > The server side wants to present a some data to the client that the
> > user has to accept. Such as agreeing to a purchase order.
>
> OK, I'll try to make it short:
>
> There is absolutely NONE, ZERO, NIL chance that this can be used
> in customer<->business relationsships in the European Union, because
> it is incompatible with the EU data protection directive in many ways.
>
> -Martin

And in US they mostly look at digital signature as a way to strongly
authenticate the user and not as a replacement for a written signature. At
least in US and at least one big b2b exchange said that they have a simple
non-repudiation practice: they make customers (buyers and sellers) to sign
the agreement that stipulates that whatever is the record of a transaction
in the exchange database that holds as the non-repudable record. (the name
witheld due to the NDA). So they have no need for even application level
non-repudiation. So as Stefan pointed out the b2b simply uses http today. In
my meetings with b2b customers they say that they need performance not
digital signatures. Majority of US financial institutions do not even
symmetrically encrypt the data on their intranet for want of better
performance (and they still meet the audit requirements circa 2003) so even
the use for data retention is questionable. b2b exchange customers even want
to replace internet with private lines in order to get rid of the latency
associated also with inernet security requirements. As ekr pointed out too
there is a serious performance penalty that comes with evidence. b2b
customers that I have met if they could vote will vote for performance and
against performance degrading evidence.
--Omirjan

>
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxxxxxxxx
> https://www1.ietf.org/mailman/listinfo/tls
>


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: home_pw

References:
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Martin Rex

Prev by Date: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Next by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00<
Previous by thread: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Next by thread: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Index(es):
- Date
- Thread