Secure Auditing for SSL Transactions
Eric Rescorla
Although SSL is by far the dominant protocol in use for electronic
transactions, it has no real provisions for dispute resolution. The
traditional approach to this problem, digital signatures, has seen
little deployment, largely due to the lack of of ubiquitous
client-side PKI and the need to modify both client and server software
to add signature generation and verification capability. This talk
describes an alternate approach without these drawbacks. We use a
novel combination of passive session recording, secure hardware and
playback to provide third-party auditing capability for SSL
transactions without requiring changes to the applications on either
side.
Gates 4B (opposite 490), Tuesday 5/7/02,
4:30 PM