public-key: the wrong model for email?
Adam Shostack
adam at homeport.org
Thu Sep 16 19:36:20 EDT 2004
On Thu, Sep 16, 2004 at 06:12:48PM +0100, Ian Grigg wrote:
| Adam Shostack wrote:
| >Given our failure to deploy PKC in any meaningful way*, I think that
| >systems like Voltage, and the new PGP Universal are great.
|
| I think the consensus from debate back last year on
| this group when Voltage first surfaced was that it
| didn't do anything that couldn't be done with PGP,
| and added more risks to boot. So, yet another biz
| idea with some hand wavey crypto, which is great if
| it works, but it's not necessarily security.
Sure, I like the system even if it breaks, because it focuses on ease
of use. I didn't say I thought it secure.
| >* I don't see Verisign's web server tax as meaningful; they accept no
| >liability, and numerous companies foist you off to unrelted domains.
| >We could get roughly the same security level from fully opportunistic
| >or memory-oportunistic models.
|
| Yes, or worse; it turns out that Verisign may very
| well be the threat as well as the solution. As I
| wrote here:
|
| http://www.financialcryptography.com/mt/archives/000206.html
|
| Verisign are in the eavesdropping business, which
| not only calls into doubt their own certs, but also
| all other CAs, and the notion of a trusted third
| party as a workable concept.
Yes.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list