Fwd: [IP] A Simpler, More Personal Key to Protect OnlineMessages

C. Wegrzyn wegrzyn at garbagedump.com
Wed Jul 9 08:41:31 EDT 2003


 From my very practical position ( I was the CTO of Authentica and 
responsible for their email and web technology) there are truths to the 
email from Ian. Though I will also state that their is a very real 
segment of the marketplace which does require a user to have secure 
messaging while the corporation might not.

Chuck Wegrzyn


Ian Grigg wrote:

>Tim Dierks wrote:
>...
>  
>
>>the fact that the private key, is, in essence, escrowed by the trusted
>>third party, causes me to believe that this system doesn't fill an
>>important unmet need.
>>    
>>
>
>I'm not sure that's the case!
>
>There are some markets out there where there are some
>contradictory rules.  By this I mean, all messages must
>be private, and all messages must be readable.
>
>Now, the challenges that these markets must meet point
>them in the direction of having a central server doing
>key escrow.  But, the central server is not allowed to
>escrow the messages or be able to read the messages.
>
>A further challenge is that these markets are full off
>leakages, and so what is needed is a way of taking the
>crypto capability away from users.
>
>This solution seems to do this latter part, in that it
>achieves the contradictory requirements of making every
>message unreadable, but crackable, and it - in theory -
>does not give users any ability to do their own crypto
>and thus bypass the system.
>
>
>
>A (purely hypothetical) example, to clarify what this
>market looks like:  Imagine the NSA had to outsource
>its encrypted comms.  They want all messages to be secret
>because .. that's kind of their mission.  But, they are
>worried about moles in the organisation, so they want
>to be able to open up the whole shebang somehow and go
>trolling for data.
>
>So how do we rationalise all this?  Simple - the people
>who use the system are not the people who buy the system.
>The market for this system is not "users" but corporates
>with special needs.  In fact if we look at the website,
>it's oriented to selling into 4 markets:  corporates,
>financial, health, and government,  If we ignore the
>first as a catchall phrase, the remaining three all have
>special needs when it comes to privacy.  And those needs
>aren't so much to do with the user as with the organisation.
>
>It was for these markets that companies like PGP Inc put
>in their fabled alternate decryption key, and companies
>like Hushmail sell "corporate packages."
>
>  
>



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list