[20329] in cryptography@c2.net mail archive
Re: NPR : E-Mail Encryption Rare in Everyday Use
daemon@ATHENA.MIT.EDU (alex@alten.org)
Wed Mar 8 12:10:10 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: alex@alten.org
To: "Ben Laurie" <ben@algroup.co.uk>
Cc: "Ed Gerck" <edgerck@nma.com>,
"Paul Hoffman" <paul.hoffman@vpnc.org>, cryptography@metzdowd.com
Date: Thu, 02 Mar 2006 02:08:19 -0500
> Alex Alten wrote:
> > At 05:12 PM 2/26/2006 +0000, Ben Laurie wrote:
> >> Alex Alten wrote:
> >>> At 02:59 PM 2/24/2006 +0000, Ben Laurie wrote:
> >>>> Ed Gerck wrote: We have keyservers for this (my chosen
> >>>> technology was PGP). If you liken their use to looking up an
> >>>> address in an address book, this isn't hard for users to grasp.
> >>>>
> >>>
> >>> I used PGP (Enterprise edition?) to encrypt my work emails to a=20
> >>> distributed set of members last year. We all had each other's
> >>> public keys (about a dozen or so).
> >>>
> >>> What I really hated about it was that when fred@company.com sent
> >>> me an email often I couldn't decrypt it. Why? Because his
> >>> firm's email server decided to put in the FROM field
> >>> "fred@server.company.com". Since it didn't match the email name
> >>> in his X.509 certificate's DN it wouldn't decrypt the S/MIME
> >>> attachment. This also caused problems with replying to his email.
> >>> It took us hours, with several experimental emails sent back and
> >>> forth, to figure out the root of the problem.
> >>>
> >>> No wonder PKI has died commercially and encrypted email is on the
> >>> endangered species list.
> >>
> >> I trust you don't think this is a problem with PKI, right? Since
> >> clearly the issue is with the s/w you were using.
> >
> > I place the blame squarely on X.509 PKI. The identity aspect of it
> > is all screwed up. No software implementation can overcome such a
> > fundamental architectural flaw.
>=20
> OK - I'll bite - why does the sender's identity have any impact on the
> recipient's ability to decrypt?
>=20
Because the software needs a unique ID/name to find the correct key to=20
use. In practice (corporate) users can have multiple email names, see=20
my reply to Peter Gutman. This is not the fault of the email=20
architecture, which has been working fine for 30-40 years, but the fault
of the X.509 architecture trying to piggyback on an address/name space=20
that is not designed with security/cryptography considerations in mind.
- Alex
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
