[17865] in cryptography@c2.net mail archive
Re: ID "theft" -- so what?
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Jul 13 22:15:50 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Dan Kaminsky <dan@doxpara.com>
Cc: John Denker <jsd@av8n.com>, cryptography@metzdowd.com
From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 13 Jul 2005 18:52:25 -0400
In-Reply-To: <42D59635.2000304@doxpara.com> (Dan Kaminsky's message of "Wed,
13 Jul 2005 15:31:17 -0700")
Dan Kaminsky <dan@doxpara.com> writes:
>>This is yet more reason why I propose that you authorize transactions
>>with public keys and not with the use of identity information. The
>>identity information is widely available and passes through too many
>>hands to be considered "secret" in any way, but a key on a token never
>>will pass through anyone's hands under ordinary circumstances.
>
> It's 2005, PKI doesn't work, the horse is dead.
Who said PK_I_? I only mentioned P_K_. There is no need for an _I_
here -- a public key stored at the bank in a database is sufficient,
without any certificates at all. The token can store the bank's key
without any need for a cert, either. Neither needs to check the
"certification" of such keys -- the mere presence of the key in the
correct part of storage indicates it is valid, the same way that a
.ssh key file needs no certification, only existence.
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
