-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert A. Costner wrote:
At 01:18 AM 7/3/97 EST, Carolyn Turbyfill (probably didn't) write:
The email forgeries using bogus PGP keys to give the appearance that the messages are from PGP, Inc. and our employees are the result of a sick, twisted mind.
While a keyserver with no authentication has a very low barrier to entry for false authentication, the barrier is not that much higher for even a Verisign class three verification. I've continually said that the biggest problem with secure authentication is that secure authentication is not possible.
I don't think thats a reasonable assertion at all. PGP is positing that they have an online identification technique. Verisign are asserting they have performed a particular identification process and suggest that it is sufficient for a particular purpose: http://www.verisign.com/pr/pr_idfct.htm Class 3 Digital IDs Require personal presence or registered credentials Used for e-banking, large-sum transactions and contract execution Cost: $24/year for individuals, $290/year for entities/web servers ($75 per year renewal) If you are a bank or company that needs to depend on an identity inthis circumastance the critical point is that you have a standardized level of security. In electronic commerce it is rarely the case that one needs to reduce risk to zero. The question is whether you can quantify the risk you are exposed to. Whether you can insure it.
I hate to see people doing such things with keyservers and keys, but we all knew the problem existed. I wonder where the solution is.
The solution is to put trust attributes in the certificates. If you do an email callback you state that that is the identification process you used in the cert. Two years back it would make sense to upgrade PGP certs to work in this way. At this point however X.509v3 has become the standard, the most commonly available form of email encryption is S/MIME which is built into the default operating system from next year and comes with Communicator. X509v3 may not be perfect but its there, it works and you can carry the same information and construct the same trust relationships that PGP supports. You can also construct other relationships. Looking at the practice of using X509v3 with Outlook Express I found that the actual mechanics of use were remarkably similar to PGP except that it was easy to add in an entire trust domain such as my employer. At this point I'm somewhat skeptical that a single vendor proprietary solution should receive unquestioned support from cypherpunks on the basis of history alone. The question is how to put cryptography on every desk top on the planet. Bill Gates is a better aly in that fight than Phil Z. I think its rather silly for people to start complaining on this list about the bad, bad, hackers. If we could trust people to be good we would not need certificates or computer security at all. Making unspecified and unsupported allegations against competitors seems to me to be a very bad idea indeed. Phill -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBM7s2017MfpC8gEO7EQI7pACg0285HGGqLevqRTFZnzpB59PS8yoAn1Wp 0b7D8YcrmSn9VbjmAq55nKWx =fRuw -----END PGP SIGNATURE-----