Michael Bauer (mick@visi.com)
Thu, 29 Apr 1999 09:42:10 -0500 (CDT)
Even if we have some sort of disclaimer, like "click this link only if you
are connecting from N. America?" (Hmm, I bet federal lawyers eat that
sort of defence for breakfast.)
In any event, I'm still thinking in terms of the secure web-server doing
the processing (accepting the data and either storing it or encrypting &
emailing it). Yep, securing a server is harder than securing a Java
applet, but even if we were to go the latter route, someone could swap our
applet with an evil one if they rooted the server.
Thanks, Mick
On Thu, 29 Apr 1999, Enzo Michelangeli wrote:
> -----Original Message----- From: mgraffam@idsi.net <mgraffam@idsi.net>
> To: Michael Bauer <mick@visi.com> Cc: CodherPlunks@toad.com
> <CodherPlunks@toad.com> Date: Thursday, April 29, 1999 4:39 AM Subject:
> Re: SSL + PGP
> > >Sounds like it could be made to work.. but if the end destination
> is >the accountant, why not let the user talk to him directly? Write
> some >Java to process the credit card number on the user's computer
> and >encrypt it with the account's PK and email it to him -- this way,
> the >possibility of weak 40-bit SSL never appears, and the web-server
> end >can be pretty much read only (never has to store credit card
> numbers >or anything).
>
> If the web server is in the US, there may be legal problems with that
> solution. Couldn't uploading crypto applets to foreign browsers be
> considered equivalent to exporting cryptographic software?
>
> Enzo
>
>
>
/===========================\
| Michael D.(Mick) Bauer |
| Sr. Network Engineer |
| EXi Corporation |
| Roseville, MN |
| mbauer<at>exicorp.com |
\===========================/
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23