brendansweb at optusnet.com.au
Sun Jan 14 20:42:30 AEDT 2007
Danny Yee wrote:
> The biggest problem is that users simply ignore both ssl encryption
> and the existence of certificates, signed or otherwise. I don't know
> what can be done about this.
> A smaller problem is that it's trivial to get a signed certificate
> that verifies that www.westpac-ultrasecure.com really does belong to
> "WP Inc" or some other such entity. Maybe there should be some kind
> of certification restricted to Australian financial institutions
> and managed by ASIC or the RBA. (Of course this won't help with
> transations with merchants.) But how useful this would be given the
> bigger problem of user blindness I don't know.
The more fundamental problem is the assumption that there is a technical solution to the issue of credibility - which there isn't. Certificates necessarily trade off security against pragmatism. It would be easy to largely eliminate identity fraud by requiring all applicants for bank accounts etc to be personally known to their local bank manager for at least 24 months before their application (etc) - but it would be rather inconvenient. Identity fraud etc is a consequence of design decisions which have been made in the banking system.
More information about the Link