Secure Auditing for SSL Transactions

Eric Rescorla

Although SSL is by far the dominant protocol in use for electronic transactions, it has no real provisions for dispute resolution. The traditional approach to this problem, digital signatures, has seen little deployment, largely due to the lack of of ubiquitous client-side PKI and the need to modify both client and server software to add signature generation and verification capability. This talk describes an alternate approach without these drawbacks. We use a novel combination of passive session recording, secure hardware and playback to provide third-party auditing capability for SSL transactions without requiring changes to the applications on either side.

Gates 4B (opposite 490), Tuesday 5/7/02, 4:30 PM