Ed Carp wrote: | Adam Shostack <adam@homeport.org> | > jim bell wrote: | > | > [Good points about cost of transactions deleted] | > | > | The answer, I think, it that there would be no problem finding people to | > | take that risk in exchange for the return, ESPECIALLY if they have some | > | input into the design (level of security) of the system. They might insist | > | on 2048-bit RSA keys, instead of 1024-bit, for example. | > | > (I know its only an example, but...) | > | > Key length is not what is needed for better security; more | > solid code and better interfaces are needed. (I might also argue for | > hardware keys that are more difficult to steal..) | | Nonsense. The code is pretty solid, the interfaces aren't very | difficult. What is needed is better human management of keys. Why | brute-force, why look for weak keys, why bother calculating how much | safer 2047-bit keys are rather than 1024-bit keys when someone can | look on your HD and find your secret key, when they can open your | desk drawer and find your pass phrase or password, when they can | guess that you used your wife's maiden name as your password? | | Adam, I don't understand why you wrote nonsense in the first | paragraph, then followed it up with textbook attacks such as: I use PGP becuase its pretty good, but if I was going to trust all my money to it, I'd want better code (especially in key management. And the Mac port needs a few man months of work. ;) I don't know how solid the code is in the ecash client. I do know that Netscape & Microsoft can't seem to ship decent code. (This is a reflection of the way the industry has evolved; the first system to require a bigger processor due to creeping featuritis gets the most market share. Quality of code seems to be unimportant.) No flame at Netscape here; they're doing what the market, conditioned by MS to never expect bug free code, seems to want. Further, the interfaces are not decent. Ever tried teaching your mother to use PGP? I have a lot of smart freinds; a lot of them, while understanding how easy it is to read mail in transit, haven't found a PGP front end thats easy enough to use that they will use it. (This is not an invitation to send me your favorite GUI to PGP (although if anyone has a web page of all/most of them, with reviews & comments and maybe even screen shots, I'd like the URL.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume