[45098] in Cypherpunks
Re: More FUD from First Virtual
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sun Dec 10 13:11:16 1995
From: Adam Shostack <adam@homeport.org>
To: khijol!netcom.com!ecarp@homeport.org
Date: Sun, 10 Dec 1995 13:08:29 -0500 (EST)
Cc: cypherpunks@toad.com (Cypherpunks Mailing List)
In-Reply-To: <199512101114.FAA26720@khijol> from "Ed Carp" at Dec 10, 95 04:03:21 am
Ed Carp wrote:
| Adam Shostack <adam@homeport.org>
| > jim bell wrote:
| >
| > [Good points about cost of transactions deleted]
| >
| > | The answer, I think, it that there would be no problem finding people to
| > | take that risk in exchange for the return, ESPECIALLY if they have some
| > | input into the design (level of security) of the system. They might insist
| > | on 2048-bit RSA keys, instead of 1024-bit, for example.
| >
| > (I know its only an example, but...)
| >
| > Key length is not what is needed for better security; more
| > solid code and better interfaces are needed. (I might also argue for
| > hardware keys that are more difficult to steal..)
|
| Nonsense. The code is pretty solid, the interfaces aren't very
| difficult. What is needed is better human management of keys. Why
| brute-force, why look for weak keys, why bother calculating how much
| safer 2047-bit keys are rather than 1024-bit keys when someone can
| look on your HD and find your secret key, when they can open your
| desk drawer and find your pass phrase or password, when they can
| guess that you used your wife's maiden name as your password?
|
| Adam, I don't understand why you wrote nonsense in the first
| paragraph, then followed it up with textbook attacks such as:
I use PGP becuase its pretty good, but if I was going to trust
all my money to it, I'd want better code (especially in key
management. And the Mac port needs a few man months of work. ;) I
don't know how solid the code is in the ecash client. I do know that
Netscape & Microsoft can't seem to ship decent code. (This is a
reflection of the way the industry has evolved; the first system to
require a bigger processor due to creeping featuritis gets the most
market share. Quality of code seems to be unimportant.) No flame at
Netscape here; they're doing what the market, conditioned by MS to
never expect bug free code, seems to want.
Further, the interfaces are not decent. Ever tried teaching
your mother to use PGP? I have a lot of smart freinds; a lot of them,
while understanding how easy it is to read mail in transit, haven't
found a PGP front end thats easy enough to use that they will use it.
(This is not an invitation to send me your favorite GUI to PGP
(although if anyone has a web page of all/most of them, with reviews &
comments and maybe even screen shots, I'd like the URL.)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
