[13796] in cryptography@c2.net mail archive
Re: Fwd: [IP] A Simpler, More Personal Key to Protect OnlineMessages
daemon@ATHENA.MIT.EDU (C. Wegrzyn)
Wed Jul 9 09:40:57 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 09 Jul 2003 08:41:31 -0400
From: "C. Wegrzyn" <wegrzyn@garbagedump.com>
To: iang@systemics.com
Cc: Tim Dierks <tim@dierks.org>, cryptography@metzdowd.com
In-Reply-To: <3F0B86E4.953301B@systemics.com>
From my very practical position ( I was the CTO of Authentica and
responsible for their email and web technology) there are truths to the
email from Ian. Though I will also state that their is a very real
segment of the marketplace which does require a user to have secure
messaging while the corporation might not.
Chuck Wegrzyn
Ian Grigg wrote:
>Tim Dierks wrote:
>...
>
>
>>the fact that the private key, is, in essence, escrowed by the trusted
>>third party, causes me to believe that this system doesn't fill an
>>important unmet need.
>>
>>
>
>I'm not sure that's the case!
>
>There are some markets out there where there are some
>contradictory rules. By this I mean, all messages must
>be private, and all messages must be readable.
>
>Now, the challenges that these markets must meet point
>them in the direction of having a central server doing
>key escrow. But, the central server is not allowed to
>escrow the messages or be able to read the messages.
>
>A further challenge is that these markets are full off
>leakages, and so what is needed is a way of taking the
>crypto capability away from users.
>
>This solution seems to do this latter part, in that it
>achieves the contradictory requirements of making every
>message unreadable, but crackable, and it - in theory -
>does not give users any ability to do their own crypto
>and thus bypass the system.
>
>
>
>A (purely hypothetical) example, to clarify what this
>market looks like: Imagine the NSA had to outsource
>its encrypted comms. They want all messages to be secret
>because .. that's kind of their mission. But, they are
>worried about moles in the organisation, so they want
>to be able to open up the whole shebang somehow and go
>trolling for data.
>
>So how do we rationalise all this? Simple - the people
>who use the system are not the people who buy the system.
>The market for this system is not "users" but corporates
>with special needs. In fact if we look at the website,
>it's oriented to selling into 4 markets: corporates,
>financial, health, and government, If we ignore the
>first as a catchall phrase, the remaining three all have
>special needs when it comes to privacy. And those needs
>aren't so much to do with the user as with the organisation.
>
>It was for these markets that companies like PGP Inc put
>in their fabled alternate decryption key, and companies
>like Hushmail sell "corporate packages."
>
>
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
