public-key: the wrong model for email?

Ben Laurie ben at
Sat Sep 18 09:54:42 EDT 2004

Ed Gerck wrote:
> Anne & Lynn Wheeler wrote:
>  > the issue then is what level do you trust the recipient, what is the
>> threat model, and what are the countermeasures.
>> if there is a general trust issue with the recipient (not just their 
>> key generating capability) ... then a classified document compromise 
>> could happen after it has been transmitted. you may have to do a 
>> complete audit & background check of the recipient before any 
>> distribution of classified document.
> If the recipient cannot in good faith detect a key-access ware, or a
> GAK-ware, or a Trojan, or a bug, why would a complete background
> check of the recipient help?

Let's assume for a moment that a solution exists that satisfies your 
requirements. Since the recipient _must_ be able to read the document in 
the end, and is assumed to be incapable of securing their software, then 
the document is still available to third parties without the consent of 
the sender, is it not?

It seems to me that fixing the PK "problem" would in no way improve the 
senders situation given that threat model.



ApacheCon! 13-17 November!

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list