UCE - a simpler approach using just digital signing?

Jennifer Bayuk jennifer at bayuk.com
Sun Feb 1 10:54:05 EST 2009 

On Saturday, January 31, 2009 6:36 AM, Sascha Silbe wrote:

> Another scheme (that could be combined with the above one to solve only
the 
> CC party problem) would be accepting only PGP mail and use a manually
updated 
> whitelist / web of trust of PGP keys. Unfortunately, PGP still isn't
widespread 
> enough to reject non-PGP mails and the ones not using it are often far
more 
> susceptible to address harvesting malware, limiting the usefulness of such
a filter.

On Saturday, January 31, 2009 2:56 PM, John Levin wrote:

> This has the same fundamental problem as Zoemail and any other white list
system.  
> It's really easy to implement a white list.  Unless your name is Paypal,
the amount 
> of mail forging your address is vanishingly small, and the utterly
insecure From: line 
> address works just fine for practical purposes.  I use that to manage my
12 year old 
> daughter's mail.

On Saturday, January 30, 2009 6:17 PM, John Levin wrote:

> This is the wrong place to go into detail about its limitations, although
it should be 
> self-evident that if it were effective, sometime in the past 13 years we'd
have started 
> using it.

Though John's January 30th note was about Zoemail, I am reacting to the
words "PGP still isn't widespread" in Sascha's post about PGP. I also was
once under the assumption that I should always have PGP installed. I was
able to verify signatures, and I thought that one day, most people would
gravitate to PGP in some form. However, losing a fight with PGP Support over
whether the enterprise plug-ins I was requesting for a corporation would
reduce the security level of their product (long story about trying to
integrate it with single sign on), and also spending many hours over three
months trying to install the commercial version on Vista, only to have the
PGP engineers tell me that I would have to uninstall all my other Outlook
plug-ins for them to continue working on the problem (e.g. card scanner), I
realize that it will never be the solution of choice for either commercial
enterprise or home office given its current support model. I have not used
it since July and have not missed it a bit.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list