[16185] in cryptography@c2.net mail archive
Re: public-key: the wrong model for email?
daemon@ATHENA.MIT.EDU (Adam Shostack)
Fri Sep 17 09:57:47 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 16 Sep 2004 19:36:20 -0400
From: Adam Shostack <adam@homeport.org>
To: Ian Grigg <iang@systemics.com>
Cc: Ed Gerck <egerck@nma.com>,
"Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl>, cryptography@metzdowd.com
In-Reply-To: <4149C990.3020106@systemics.com>
On Thu, Sep 16, 2004 at 06:12:48PM +0100, Ian Grigg wrote:
| Adam Shostack wrote:
| >Given our failure to deploy PKC in any meaningful way*, I think that
| >systems like Voltage, and the new PGP Universal are great.
|
| I think the consensus from debate back last year on
| this group when Voltage first surfaced was that it
| didn't do anything that couldn't be done with PGP,
| and added more risks to boot. So, yet another biz
| idea with some hand wavey crypto, which is great if
| it works, but it's not necessarily security.
Sure, I like the system even if it breaks, because it focuses on ease
of use. I didn't say I thought it secure.
| >* I don't see Verisign's web server tax as meaningful; they accept no
| >liability, and numerous companies foist you off to unrelted domains.
| >We could get roughly the same security level from fully opportunistic
| >or memory-oportunistic models.
|
| Yes, or worse; it turns out that Verisign may very
| well be the threat as well as the solution. As I
| wrote here:
|
| http://www.financialcryptography.com/mt/archives/000206.html
|
| Verisign are in the eavesdropping business, which
| not only calls into doubt their own certs, but also
| all other CAs, and the notion of a trusted third
| party as a workable concept.
Yes.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
