public-key: the wrong model for email?
Ian Grigg
iang at systemics.com
Thu Sep 16 13:12:48 EDT 2004
Adam Shostack wrote:
> Given our failure to deploy PKC in any meaningful way*, I think that
> systems like Voltage, and the new PGP Universal are great.
I think the consensus from debate back last year on
this group when Voltage first surfaced was that it
didn't do anything that couldn't be done with PGP,
and added more risks to boot. So, yet another biz
idea with some hand wavey crypto, which is great if
it works, but it's not necessarily security.
> * I don't see Verisign's web server tax as meaningful; they accept no
> liability, and numerous companies foist you off to unrelted domains.
> We could get roughly the same security level from fully opportunistic
> or memory-oportunistic models.
Yes, or worse; it turns out that Verisign may very
well be the threat as well as the solution. As I
wrote here:
http://www.financialcryptography.com/mt/archives/000206.html
Verisign are in the eavesdropping business, which
not only calls into doubt their own certs, but also
all other CAs, and the notion of a trusted third
party as a workable concept.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list