USENIX ;login: - Driving the Future: Why the Financial Community Rules

driving the future

by Daniel E. Geer, Jr.
<[email protected]>

Formally trained as both an engineer and a biostatistician, Dan Geer has been development manager for MIT's Project Athena. He is vice president of CertCo and of USENIX.

Why the Financial Community Rules

NetSec Keynote, October 22, 1997

I have had the privilege of broad experience in a number of areas relevant to today's topic, in academe and in industry, in medical and in financial computing, in distributed systems and in security management. I am formally trained as both an engineer and a biostatistician. I've been development manager for MIT's Project Athena and an entrepreneur in financial security management. I'm now vice president of both CertCo, the high-end security company, and USENIX, the high-end engineering professional organization. I co-wrote The Web Security Sourcebook and chaired the first USENIX Symposium on Mobile and Location Independent Computing, the first USENIX Workshop on Electronic Commerce, and will do so for the first Public Key Infrastructure Implementors' Workshop in August 1998. I say all that for one reason and one reason only, to help you estimate my biases so that you may correct for them. The wonderful thing about experience is that it calibrates your skepticism, and the wonderful thing about lack of experience is that it gives you design freedom.

Given my biases, I am going to describe where the future of the security marketplace is and where it is not. I will argue that the financial community is and remains the place to look for "first light" from each new security technology. I will give you a rundown of what's new while I predict what little time is left for many of today's products, purveyors, and regulators. I will argue that, in many ways, the party's over for the security field as we know it now. I will range broadly because security, as a concept, is universal.

"Nothing Is So Powerful As an Idea Whose Time Has Come"

I begin by claiming that Voltaire's famous dictum applies to security technology. On October 7, 1997, IBM took eight consecutive full-page ads in the Wall Street Journal to tout its electronic commerce expertise. On the final page, they listed the three requirements of the business future; they were #1 security, #2 scalability, and #3 integration. IBM is right. Forrester, Gartner, META, Yankee, and all the other analysts agree the single most important enabling technology for the electronic business, besides network connectivity itself, is security. In a different light, A. D. Little estimates that security, privacy, and the legal issues of digital signature constitute over half of the quantifiable barriers to electronic commerce.

There are whole venture funds whose investment focus is around security. Security startups are everywhere and so are security books. The word "security" is hardly rare in employment advertisements, and some companies even have a "corporate security officer" to go with all the other CxO titles. You cannot walk a single aisle of a single trade show and not see the word "security" in screaming big type. The number of security meetings is preposterous, and yet all of them are packed. Only yesterday, a presidential commission recommended spending real money on security for the information systems that run the country, and to do so jointly with the Departments of Defense and Commerce. This idea's time has come.

Andy Warhol was also right when he said, "In the future, everyone will each get 15 minutes of fame." Ten days ago today, the Web site at Forbes Magazine predicted that not one of today's leading security specialty companies will survive because they all can easily be eclipsed by the platform vendors. Only the platform vendors can deliver security that is integrated enough to scale (remember the three requirements?), and when the platform vendors start supplying security, where will the innovative specialty add-ons be? As even the Justice Department knows, once something moves into the operating system, the independent market for it collapses. Yes, security's time may well have come, but in a Warhol world, that would mean that it is about time to go.

Trust Management

Security innovation has always had one foot in academia. The academic focus of "security" research today is the study of "trust management," i.e., the study of how trust is created, propagated, circumscribed, stored, exchanged, accounted for, recalled, and adjudicated in an electronic world. This is both natural and mature. It is natural because security is a means and not an end; security procedure has to deliver enablement of something greater than itself or it is not worth the cost. It is mature because security technology is increasingly differentiated along cost-benefit lines: how much benefit (enablement) is delivered for how much cost (of integration). All the security technology that you can buy today enables some aspect of trust management, and the market is coming up with novel variations all the time.

You can walk out of this hall and buy systems that use passwords that get local machines to trust you enough to let you in. You can buy smart cards that can do your cryptographic calculations for you, respond to challenges, hold your keys inviolable, or, more interestingly, have identities of their own and serve merely to introduce you to others on their own terms. You can buy biometric devices that look at your voice, your face, your retina, your fingerprint, or even the personal idiosyncrasies of how you learned to type and say, "Yep, that's the guy." You can get systems that are sufficiently hardened that you can trust them if for no other reason than they are so nearly useless that no one would want to break in. You can still get your hands on security systems in the raw and roll your own directly from source code trust propagation for the connoisseur, as it were.

For enough money, you can get systems that claim to package trust really pretty neatly, like a digital certificate supposedly enabling a "high-value, time-sensitive, Web-based, multiparty, globalized, transactional, and auditable business-to-business" deal. You can, anywhere, anytime, spin up virtual private networks that are trustworthy protectors of your confidentiality, however hostile the intervening wires are. You can even deliver privacy between strangers nearly a matter of creating trust in order to propagate it. You can put a document into the Eternity Service and trust that it can never be erased, or you can put it into a cryptographic filesystem and trust that it can never be found. Simple? Yes, academic and entrepreneurial segments alike are busy supplying many novel ways to propagate trust. They have it all wrong.

Risk Management

All of you who have ever taken a course in probability know that many problems are solved by calculating their dual the probability of "not X" may be a whole lot more tractable than figuring Pr(X) directly. All of you in security-based startup companies know that making money requires making excitement, even if the excitement is somebody else's public humiliation at the hands of an attacker. And all of you can agree that the more important something is, the more inevitable that it must be managed. Trust management is definitely exciting, but like most exciting ideas, it is not important (just as most important ideas are not exciting). What is important is risk management, the sister, the dual of trust management. And it is risk management that is the part of financial services that will drive the security world from here on out, whether you realize it or not.

Every financial firm of any substance has a formal Risk Management Department that consumes a lion's share of the corporate IT budget. The financial world in its entirety is about packaging risk so that it can be bought and sold, i.e., so that risk can be finely enough graded to be managed at a profit proportional thereto. Everything from the lowly car loan to the most exotic derivative security is a risk-reward trade-off. Don't for a minute underestimate the amount of money to be made on Wall Street, London, and/or Tokyo when you can invent a new way to package risk. The impact of Moore's Law on the financial world has been nearly inestimable. Computing has made that world rich because it has enabled risk packaging to grow ever more precise, ever more differentiated, ever more manageable. You don't have to understand forward swaptions, collateralized mortgage obligations, yield burning, or anything else to understand that risk management is where the money is. In this capitalist world, if something is where the money is, that something rules. Risk is that something.

Security technology in both the here and now and in the heretofore has been about moving trust around as if risk is always undesirable and reliable trust management obviates the issue of risk in some general sense. It does not come close. In three years, the "trust-hauling" market will be somewhere on the down slope between legacy and dead. Risk management is going to take over as the dominant paradigm because risk management can delineate trust, but trust management cannot delineate risk. The Internet has made this so.

The Internet is irresistible in one way in particular it lowers barriers to entry on a global basis, and I mean global in both space and time. Obscure countries can leapfrog the established economies. Ever more important parts of the world's economy will exist only in cyberspace, and lead times have entirely collapsed. Every professional fortune-teller is bidding geometric increases in the dollar volume of electronic commercial activity. But, and as everyone in this room knows, when there is enough booty available, even absurdly difficult attacks become plausible. This is the world we are in. It will never be possible to really do the job of trust management any more than it is possible to really win an arms race. But risk management that is doable and it is doable at a profit. The proof is all around us.

Public Key vs. Secret Key Systems

Numerologically, we are a score of years down this road. In 1978, a vintage security year, the remarkable papers by Rivest, Shamir and Adleman and Needham and Schroeder were published, both in CACM, as it happens. The former introduced compelling public key ideas and the latter unwittingly created Kerberos. The counterpoint between these two technologies is instructive. Both symmetric cryptosystems, like Kerberos, and asymmetric cryptosystems, like RSA, do the same thing that is to say, they do key distribution but the semantics are quite different. The fundamental security-enabling activity of a secret key system is to issue fresh keys at low latency and on demand. The fundamental security-enabling activity of an asymmetric key system is to verify the as-yet-unrevoked status of a key already in circulation, again with low latency and on demand. This is key management and it is a systems cost; a secret key system like Kerberos has incurred nearly all its costs by the moment of key issuance. By contrast, a public key system incurs nearly all its costs with respect to key revocation. A rule of thumb might be that the cost of key issuance plus the cost of key revocation is a constant, something one might colloquially describe as just yet another version of "you can pay me now or you can pay me later."

Because of the trade-offs between who pays for what part of the systems cost and who gets the benefit, secret key systems and public key systems have different fields of use. Secret key systems are fast and offer revocation at no marginal cost. Public key systems are slow, but they enable digital signature and thus enable proof of action, nonrepudiation, as it is called. Secret key systems are quite appropriately the default choice within an organization, and public key systems are similarly the default choice between organizations, i.e., secret key for where security is an intramural concern intramurally arbitrated, and public key for where security is extramural, thereby requiring recourse to a third party judge in cases of dispute. The seemingly relentless blurring of what is intramural and what is extramural will likely favor public key over time.

However, a trust management paradigm says that a digital signature is only as valid as the key (in which it was signed) was at the moment of signature, which, in turn, is only as good as the procedural perfection of the certificate issuer and the timely transmission of any subsequent revocation. These are high costs. In fact, the true costs of general public key infrastructure are so extraordinarily high that only our collective ignorance of those costs permits us to propel ourselves toward a general PKI as if it were a panacea, a cure-all. When, not if, the user community at large realizes this, we "security people" will have but two choices: compromise on (gloss over) the quality of trust that public key can deliver or back off from the claims of full trust cheap. In other words, we'll have to fit the benefit to the endurable cost or fit the cost to the requisite benefit. Because, as a rule of thumb, to halve the probability of loss, you have to at least double the cost of countermeasures, any finite tolerance of cost means an upper bound on how much security you can get. In the fullness of time, security technology will be evaluated on the same cost-benefit-risk trade-off that other technologies are evaluated on. This is the price of maturity; this is the price not yet paid.

Do not misunderstand me; public key technology, secret key technology, security technology in general are daily reaching new levels of protective capability. What they cannot protect against is being oversold. And they are being oversold. Why is that?

The Internet as Data Center

The days when the Internet was a toy are gone, even if a high percentage of its new investors is coming in merely to avoid looking dowdy. To some extent, the real question on the table is, when does the Internet become more like the data center? And what does making the Internet more like the data center mean? At a minimum, it means metered use, once known as charge back. Take, for instance, spam email. Already discussions are widespread about requiring Internet postage; large ISPs will probably demand it, existing postal services would love to sell it, and data centers, such as the financial giants, will get a better handle on what goes in and out the door. At least one Wall Street bank already does charge back for network bandwidth consumption, and their internal electronic security regime plays a role in assigning those costs just as, in turn, their security group manages the user database via incremental updates rather than fresh full copies just so as to avoid bandwidth charges. That's not postage, but it is close and it is now.

But before you cheer "making the spammers pay," be careful what you ask for because you might just get it. In a world of electronic postage, spammers will probably just pay the freight. It will slow them down a little, but electronic postage will probably just convert email spam into an electronic equivalent of today's junk mail. As always, throttling demand by raising prices will bounce some people off the wire, but it is unlikely to be those who can pass their costs along to their clients. No doubt someone will think of making postage differential, based on who the sender is, just as it is in the paper world, and pretty soon postage for the Internet will be as savory a blend of price and convenience as postage for paper mail already is.

Incremental use charges are but one example and are interesting mostly because they are a near term step in the direction of making the Internet into a data center. The fundamental value of the data center remains the information it holds. The past few years have seen data warehousing, data mining, and now connection of the data center to the Web, data publishing, if you will. MVS, for example, has a really good Web server, and someone in the audience will have to show me what the difference really is between a 1970s central time-share machine and an MVS Web server in a swarm of "thin clients" on fast networks. It certainly isn't the direct wire connection SSL simulates that well enough. It surely isn't the management model; the MIS director who had declared defeat in desktop configuration management will, you can be sure, rejoice at getting control back.

In the mainframe world, you move the computation to where the data are rather than, as in a client server world, moving the data to where the computation is. Web servers front-ending corporate databases attached to virtual private networks full of a universal client like a Web browser sure sounds like a resurgence of the data center to me. The IBM 390 is a good machine, and the Wintel cartel has pretty much ensured that no upstart will enter their space as it is currently constituted. From Wintel's point of view, using all those desktop cycles for display functions is just fine. Can it be that simple?

Nick Negroponte famously imagined what later became known as "The Negroponte Switch" in which he predicted that what had been wireless would become cabled and what had been cabled would become wireless. The cellular phone and cable TV have, just by themselves, made his prediction true. Well, here's another switch because of the Internet, who owns the data center and who owns the desktop will switch. IBM has long owned corporate computing while Wintel has consolidated its victory in the desktop wars. But just as the wired vs. wireless world flipped, so will this one.

Of all the computing companies, IBM is the most internally heterogenous, and it is actually the most committed to heterogeneity. It is teamed with Oracle and with Netscape, i.e., with the database and the thin but universal client. They will inherit the desktop. But Microsoft is after the server-side software market, and it has managed to entice HP into its parlor. With HP's scalable industrial strength and quality, something Microsoft has never known, they will inherit the data center. This is the switch; watch for it.

UNIX, however superior as a tool for people who appreciate knowing what to do and being able to do it for themselves, remains in a difficult position. I am reminded of Garret Hardin's term "tragedy of the commons." Hardin observed that what is owned in common and openly available to everyone will ultimately be vandalized or subdivided. There are probably books to be written on that topic, but I submit that UNIX's status as a commons remains both its enduring strength and its enduring vulnerability.

Financial markets arguably made SUN what it is today and vice versa SUN's first big win, the first big demonstration that computing power had risen to such a degree that moving the data to where the computing is made sense, "the network is the computer" and all that. Financial markets, in the sense of traders going head to head, used that power to replace who you know with what you know and set off a technology-as-weapon metaphor that has overtaken most of the business world. Financial markets, in the sense of exchanges, now rely on a dense spread of computing that exceeds what most of us have to deal with; more than one major bank has 15,000 FTP jobs a night just moving data to or from the data center. Plenty of staff at the NYSE lose $1,000 apiece for every 15 minutes the exchange is late opening due to IT unavailability. No computing equipment is too expensive when trumped with "I can make that back on the first trade." No small country runs its currency anymore.

Before network technology, there was no question that the fundamental purpose of an exchange was to provide "an advantage of time and place" to those who would trade on it and, in so doing, establish efficiency and liquidity baselines against which others would be judged. Beginning first with the "paperwork crisis" in the 1960s and reaching a crescendo after the "crash of 1987," the exchanges have been fully committed to electronic commerce before that phrase meant anything. But since the Internet, time and place are meaningless, and the exchanges know it. They are working hard to make oversight, fair play, and quality of service into new baselines. Clearly, security technology is, just as in that WSJ advertisement, is first in the list of their requirements, followed closely by scalability and integration. Just imagine how you would design the security infrastructure to mix the private networks of mortal enemy trading firms on the floor of an exchange, especially when someone working at Lehman Bros. today might be at Morgan Stanley tomorrow and everyone wants to use wireless communication.

Bringing a Transactional Semantic to the Internet

Security in a financial world market that is both nowhere and everywhere is a difficult thing to define well enough to solve. If there is anything to engineering as a discipline, it is that the heavy work is in getting the problem statement right. So, to return to my central premise, if new security technology is a result of investment and if the investment in security technology is naturally centered within the financial community, what is the problem statement? If we get that right, we can predict the future.

I submit that the problem statement is about bringing a transactional semantic to the Internet. This is not a new problem, but it is an as yet unsolved one. The existing financial markets want transactions because transactions are what they are about and transactions are what they know. Upstarts like the payment vendors want to be the first to deliver transactions and disintermediate the financial firms. Technically smart legal beagles know that there is no transaction without recourse, no recourse without contract, no contract without nonrepudiation, and no nonrepudiation without digital signature. Anyone who wants to do business on the Web needs transactions.

So what do I mean by "transaction"? I mean a nonrepudiable communication between two parties who can each verify the time-, value-, and content-integrity of the communication, who can rely on the confidentiality of that communication, who have assurance of the authenticity and authorization of their counterparty in the communication and who can, collectively, present all these evidences to third party adjudication should there be a need for recourse at any arbitrary time in the future. Every single part of that definition begs the question of security mechanism, and it is on that basis I claim that the security technology of tomorrow will be crafted in response to the unmet needs of financial markets today.

Hal Varian, an economist and dean of the Information Management School at UC Berkeley, is of the opinion that what the Internet changes more than anything else is that it brings the possibility of auction to markets that never had that option. You can verify this yourself by looking at the number of ways in which price discovery through auction is already available on the Web. All these auctions need security technology because what makes an auction an auction is the ability to conclude a transaction that, by its own execution, "discovers" a price. An Internet auction is no different. In other words, the nature of the world's economy is changed by the existence of the Internet, but on the condition that electronic transactions are up to the job.

Your handwritten signature on a check is what, in principle, authorizes that funds move from A to B. But, from a bank's point of view, actually verifying handwritten signatures is a cost that is worth bearing only if the cost of verification is less than the risk of loss. At the largest banks, the threshold dollar amount below which verification does not really happen is a closely guarded number, but it generally exceeds $20,000, and still they have platoons of people doing this all day, every day. Converting the means of signature verification from a manual process into a machineable one would radically change the economics of check processing. It would add billions to the collective bottom lines and do it from the cost-avoidance side of the ledger.

But that is not all. Some $300B of payments are made every day of which but $60B are in the form of checks; the balance is largely in cash transactions of $5 or less. From both the merchant's and the bank's perspectives, getting rid of cash would be a huge win because physical processing of small dollar amounts often exceeds the profit margins on those sales. The consumer may well adopt cashless payment out of some sense of convenience, but the financial side of the house will enable it to avoid costs.

Payment on the Web has sparked numerous startups with a wealth of different mechanisms. Although it is too late for you to enter this market, it is not too late for those payment systems vendors to rethink what they are trying to do. As it is, all of them are suffering because the volume of Web-based retail business has not picked up as fast as their business plans had hoped. For the retail customer, the only thing the Web offers is product discovery; a good print catalog and an 800 number are otherwise hard to beat. It is clear that the real money in Web commerce is in business-to-business commerce, but there the supply chain has a lot more complication, and the kinds of security mechanisms need to be somewhat different from those for, say, buying a toaster oven or a sweater. Whereas retail commerce is about small dollar amounts and stranger-to-stranger transactions through a financial intermediary like a credit card company, business-to-business is more about relationships, the dollar value of the sale is much bigger, and banks play a direct role (through letters of credit, collateralized bills of lading, etc.).

This kind of commerce does not have a good solution yet. If you want to sell into this market, be aware that the customer will buy either to avoid costs she has now or to make revenue he doesn't have yet. In the case of saving costs, you'll have to sell the customers the technology on a turnkey basis they will not cut you into the transactional revenue stream. If you can really show that your technology will make them revenue they did not have a chance to make otherwise, you may be able to get a piece of the revenue stream, but do not underestimate the cost-avoidance focus of big buyers and sellers. As far out as 2005, over half the Internet transactions will be transactions converted from paper and credit/debit cards, not new transactions. When selling into a cost-averse market you automate rather than revolutionize, and you do not get a piece of the action.

"Disintermediating the Banks"

Everyone likes to talk about "disintermediating the banks," that is, making the intermediary role of banks in commerce less essential by performing that service in some other way. Bill Gates, for example, is widely quoted as saying that "Banks are dinosaurs." At the high end, they are not dinosaurs and they are not about to be disintermediated. The banks have a natural affection for their income streams, but that doesn't prevent disintermediation. Most wiseguys trying to disintermediate the banks misunderstand what banks do. This is what they do: they interpose their balance sheet between the expectations of the counterparties to a transaction and the risk of default on either of their parts. They undertake stop-loss protections against credit risk, insolvency, operational failure, currency fluctuation, and diversion of funds delivery. In other words, they manage risk because they can absorb loss. An electronic commerce payment technology vendor cannot absorb loss, so it cannot and will not disintermediate the banks.

Think of it this way: all public key technology is about making a digital signature verifiable, i.e., it is about quality control and guarantee on the signature itself. This is a stunning thing, but it is not the whole equation. The intermediation role that banks play is to guarantee the transaction, i.e., it is broader than just the verification of a signature. The bank's know-how and its balance sheet are not something that can be replaced by a cryptographic calculation. The ability to avoid loss never completely makes up for the ability to absorb loss. The cryptography guarantees the signature. The bank's capital guarantees the transaction. Risk control encapsulates trust.

In the midst of this, you might ask "What are the standards?" in the sense of "What do the formal standards groups have to say?" The banking world is regulation rich and standards rich, too. This begs an interesting question "Which standards matter?" The world of the Internet is making some of the banking-centric standards passé, but, unlike the combination of standards and regulations the banks are familiar with, the standards groups of the Internet cannot take on accountability for the implications of conformance/nonconformance, though they continue to define it for others. This makes Internet standards quite a bit more difficult to swallow because there is no accountability, nor can there be. The absence of enforcement probably guarantees that the only Internet standards that will really get attention are those that promote interoperability across jurisdictional boundaries. Oddly, this is all the pioneers in the Internet wanted.

What the banks want, and I assure you they will get, is a set of cryptographically sophisticated tools that move the risks of the Internet from open-ended to estimable. In a sense, this is like insurability. It is probably apocryphal, but the story goes that a major investment firm with a Web commerce idea went to a big insurance company to seek insurance. The conversation supposedly went like this:

"How big is the potential loss?"
"We don't know."
"How likely is a loss to occur?"
"We don't know."
"How much is your company worth?"
"This much."
"That's the premium; send it in."

Whether true or not, it illustrates the point the issue was getting a handle on the risk such that it could be priced. Let me make a prediction in this regard. Every one of you who has tried to sell security technology has discovered that the only willing customers are those who either (1) have just been embarrassed in public or (2) have just learned that they are facing a management audit. Everyone else is an unwilling customer. We've been dumb about this; we've tried to sell security as a means to establish trust but we've done it by preaching about risks. It's no damned wonder that we haven't sold much. I know I have often wondered if my market might not explode if I could just get one of the big loss-prevention insurers to make good security practices and technology into an underwriting standard. Then, just like with fire insurance and the question of do you have sprinklers or not, everyone would be forced to confront whether they wanted to pay for security or pay for nonsecurity. I was, and am, pretty confident that the insurers could soften up my targets a lot better than I could.

Let me tell you, they are about to. Insurability of Web commerce is essential, and no insurer is going to accept "We don't know" as an answer. They will say "Send it all in" and they'll mean it. The demand side for security technology is about to explode, but it isn't quite the security technology we have on hand.

Trusted Third Parties

But there is another point: if a digital signature has the uniquely irreplaceable property of providing proof to a third party judge, then the role of a "trusted third party" is going to become more important over time, not less. Think of it this way: when I get a certificate issued to me by a certifying authority, I do have some risk around whether the CA is well operated or not. This includes the probability they will issue a certificate with my public key but someone else's name and whether, when I tell them that my key has been compromised, they will spring into decisive action. Most of that risk I can handle by a combination of due diligence and contract.

However, when I give my certificate to you and say, "Hi, I'm here from Central Services to fix your system," you are in a risky position. You have to say, "Is this certificate valid?" That means you have to check that the certificate is not listed as revoked, that the signature on the certificate is well formed, that the certificate authority that issued this certificate itself has an identity certificate that is validly signed, that the certificate authority is itself not in any trouble with revocation, and so on and so forth, recursively.

In other words, this exceeds the intellectual and programmatic capacity of most certificate recipients. This means that most recipients cannot themselves rely on the security technology to establish trust beyond the shadow of a doubt. Instead, if recipients are smart, they will turn again to the insurance world just as risk holders have done whenever they cannot afford to sustain the consequences of a remotely unlikely event. For the insurer, he will underwrite a guarantee on the transaction for a fee that will reflect his assessment of the CA's practices, the kind of transaction undertaken, the dollar amounts involved, etc. This will seem sensible to all parties because it is so familiar. This is risk management underwritten by financial intermediaries. This is where we will shortly be.

There is one potential fly in this ointment, and I do not intend to dwell on it, but I cannot get this far and not mention the risks of building up strong security apparatuses only to have them undermined by key escrow policies, whether by companies or by governments. If you will, corporate policies and laws alike have always been defined in a territorial way that relies on clearly identifiable borders, physical locations where the policy or the law come to an end. But, as I have said, in the electronic world, borders are meaningless. In some sense, sovereignty, based as it was on the idea of a border, is less meaningful now than it has been for some centuries. In its place is a different kind of sovereignty, one that recognizes that the only borders that are defensible in an electronic world are electronic borders, that is to say, that electronic borders are cryptographic ones. As such, the debate over who may or may not have a key known only to themselves is a proxy discussion for who may or may not have sovereignty within the potentially large number of cryptographically defined spaces.

There are some very hard questions yet unanswered. Compromised keys are revoked effective not to the moment of suspicion of compromise, but rather retroactively to the last known time when the key was safe. In the case of escrow, should not a key's owner retroactively revoke it to the moment of its seizure from escrow if the owner discovers that it has been so seized? Or if a revoked key is revoked only by the action of the certifying authority signing a revocation notice in a special key, can that revocation-signing key itself ever be revoked? If it could, would that not invalidate (reverse) any revocations signed in it, and what does that mean? I offer these only to encourage you not to equate my argument about the near-inevitability of investment in public key technology and digital-signature-dependent activities with any argument over infallibility of the technology or our understanding of it. These questions will be settled one way or another, but they remain open as we speak here today.

I have tried to lay out my estimation on which way the tide is running and which moon's gravity matters. I could be completely wrong or merely overstating what my biases bring me, but I think not. I think that just as the best estimate of tomorrow's weather is today's, the best estimate of how the Internet and the financial behemoths will interact is for the Internet to be driven, perhaps only as a side effect, by the cost-reduction and profit-incented strategies of those financial behemoths. They already transcend national boundaries, and their investment decisions do run the world, including our part of it. Were this to get enough investment, it might make security a solved problem, at least as I define "solved" to mean "consistent with risk management in the insurance style." Because that would collapse the market for novel security add-ons, I strongly suggest that, as you prepare your business plans, you figure out how to be, as Tom Lehrer would say, a doctor specializing in diseases of the rich.

This is a very exciting time, and it is a privilege to be a part of it, both for me and for you. When we are all relics in rocking chairs, we will still know that we were present at the creation.