NPR : E-Mail Encryption Rare in Everyday Use

James A. Donald jamesd at echeque.com
Sat Feb 25 02:01:26 EST 2006


     --
Ben Laurie wrote:
 > > but if you want it to be encrypted to you, then you need to
 > > publish a key.

Ed Gerck wrote:
 > This IS one of the sticky points ;-) If postal mail would work this
 > way, you'd have to ask me to send you an envelope before you can
 > send me mail. This is counter-intuitive to users.

Public key should be part of signature.

 > Your next questions could well be how do you know my key is really
 > mine...

If key is part of signature, you know it really belongs to the person
who posted the item to which you are replying - and sometimes that is
the thing that you really want to know.

Of course you do not know that the person to which you are replying is
really the person he represents himself as being - is he really the
fraud control officer for your bank?  But presumably you are
interacting with the bank through its website, so you, or rather your
software, should damn well know the bank's public key, and the fraud
control officer's signature should have a certificate by the bank
attesting his relationship to the bank.

 > how do you know it was not revoked

It should be checked every time you logon to the bank, and every time
you logon, instead of telling the site your password, you proceed with
a zero knowledge proof where both parties prove knowledge of the
password without revealing the password.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      L4p0k6+mzp2x2QNOdALduMQfwAIXYrsJ3cVYYK4Q
      4iEeX76ichaV+J6eVImNtWEoGzvMmAHKNHHix+chD

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list