Re: [perpass] perens-perpass-appropriate-response-01

Albert Lunde <atlunde@panix.com> Mon, 09 December 2013 00:24 UTC

Return-Path: <atlunde@panix.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B24661AE0DB for <perpass@ietfa.amsl.com>; Sun, 8 Dec 2013 16:24:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FWL8z5AQV5Eb for <perpass@ietfa.amsl.com>; Sun, 8 Dec 2013 16:24:20 -0800 (PST)
Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89]) by ietfa.amsl.com (Postfix) with ESMTP id 02D581AE0A9 for <perpass@ietf.org>; Sun, 8 Dec 2013 16:24:19 -0800 (PST)
Received: from [192.168.15.5] (unknown [50.9.9.201]) by mailbackend.panix.com (Postfix) with ESMTP id C88F5352E2; Sun, 8 Dec 2013 19:24:14 -0500 (EST)
Message-ID: <52A50DAC.7040601@panix.com>
Date: Sun, 08 Dec 2013 18:24:12 -0600
From: Albert Lunde <atlunde@panix.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: "perpass@ietf.org" <perpass@ietf.org>
References: <E2DA1477-C86E-441E-A33D-D47A0D67AFF3@iab.org> <529E8494.7000806@perens.com> <20131204111309.GB11727@nic.fr> <529F61D8.6030105@perens.com> <20131204171207.GC19914@thunk.org> <529F63C0.3040804@perens.com> <529F88AC.3090904@appelbaum.net> <529F90A0.8000706@perens.com> <529F9205.30906@appelbaum.net> <529F98C0.9090808@perens.com> <529F9F14.8050805@appelbaum.net> <529FB61A.7090604@perens.com> <529FBEF9.7030205@appelbaum.net> <529FC347.3080806@perens.com> <52A15835.2070901@cis-india.org> <52A21B80.8070005@mykolab.com> <52A21D1C.8020000@perens.com> <BC888A6F-F048-4BA6-92F4-8812753F8534@icsi.berkeley.edu> <52A2235A.2030801@perens.com> <ADD6858C-7548-479E-BB71-316E9C52F812@icsi.berkeley.edu> <c97f3134-eedf-44e1-880c-147efb172fc6@email.android.com> <240A2D86-C352-4954-BE4E-6313BA25994E@icsi.berkeley.edu> <52A2CE6A.30408@perens.com> <52A31F1D.7040509@cs.tcd.ie> <5D026682-5457-4F00-B139-58D8D718BB0A@icsi.berkeley.edu> <454F08BE-5C79-408B-B356-6D895C9B1CC3@isoc.org>
In-Reply-To: <454F08BE-5C79-408B-B356-6D895C9B1CC3@isoc.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [perpass] perens-perpass-appropriate-response-01
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 00:24:21 -0000

On 12/8/2013 1:59 PM, Robin Wilton wrote:
> Nick,
> >
> I agree that there is a cost threshold for signature/MAC. It is
> something I uncovered in my PKI research: for PKI-enabled micropayments
> it is, arguably, not worth signing the public key involved, if the
> number of disputed payments is at normal levels... because normal
> levels, for most micropayment applications, are low. It's more
> cost-effective to simply refund the tiny minority of disputed payments.

It seems like a threat model that assumes the sole risk is disputed 
payments "at the normal rate" is broken in the presence of automated 
attacks.

I don't think the NSA is the only bad actor, in the short term, 
for-profit criminal groups seem more likely to do active or tailored 
attacks.  This can result in bursts of fraud and/or malware affecting 
particular clients or sites disproportionately.