Re: Minimal Authorization

Larry Masinter (masinter@parc.xerox.com)
Sat, 13 Aug 1994 14:49:09 PDT


Steve Crocker wrote:

> I don't know of applications where it makes
> sense to have passwords but doesn't matter if the passwords are
> disclosed to unauthorized people as they're sent over the network. I
> suppose there might be such applications, but I don't know of any.

This is often known as 'Yellow Ribbon Security'. You know how
sometimes around a scene of an investigation, they'll put up a yellow
plastic ribbon around the scene, that says "police line, do not
cross". The yellow ribbon provides no physical protection at all.

In the case of electronic communication, yellow-ribbon security is
useful in those cases where there is an auxiliary channel for vetting
the information, and the possible loss from having the password
compromised is minimal.

For example, in a typical "you can order stuff over the internet"
scheme, there is an external mechanism for establishing an account
(e.g., you supply address, phone number, credit card info over the
telephone, and this information is verified independently). You then
get a account and password. You can use this account and password to
order things (up to a reasonably small maximum order), but the orders
can only be shipped to the billing address of the credit card.

All network transactions are logged; if a fraudulent transaction is
entered (e.g., someone orders something in your name to be delivered
at your address, but you didn't order it), the vendor is willing to
accept the return, and initiates an investigation into the source of
the fraudulent transaction.

In this application, the possible gain from the misuse of the password
is small (e.g., it mainly just gives anyone who has obtained your
password in a fraudulent manner the opportunity to harass you, but not
any particular financial gain.)

Similarly, services that sell 'information' over the network may well
be able to use passwords that are transmitted in the clear. If you get
a bill for searching a newspaper database that is above and beyond
your normal bill, it is relatively simple for the vendor to reverse
the charges and initiate an investigation into the cause of the
fraudulent use.

Flat-rate online services that only allow one connection at a time
from a given user might well use unencrypted passwords; again, the
possible potential gain to the unauthorized user is minimal, the risk
to the purchaser and the vendor is small.

I believe that it is necessary to deploy the technology that actually
allows secure transactions over the Internet, and that the net will be
more functional when it is available, but it is mainly because there
are enough situations where lower security is adequate and also more
convenient that has hampered that deployment.