Bob Jueneman wrote:
Let's put this problem in perspective, and try to avoid the "chicken little, the sky is falling" syndrome.
It's quite unlikely that someone would come up with "Eureka!" type of solution to factoring large numbers that would end up completely breaking RSA, or that some way would be found to completely break the integrity of SHA-1.
Well said. SHA-1 works as a many-to-one function and this alone makes it impossible to break if well applied. Simply, no global inverse function exists for a many-to-one function (even though a local inverse may exist, but in this case SHA-1 would not have been well applied). This is a mathematical fact. Matters with RSA are still unproven, though, but it is not probable that it will be broken any time soon in a wide scale. However, this is not what concerns me at all. PKI is the problem. It does not work and it will not work on a global scale. E-commerce itself has moved away from PKI for no other reason. The problem then is the E-sign Act and state legislation following on its heels, which not only blurs IMO what a digital signature is but also does not deal adequately with the liability issues for the different parties involved. In this scenario, what if we see a blind push for a global PKI and also include non-repudiation as an "absolute authentication" based on some mythical "trusted machines" -- as has been suggested recently in the good name of e-commerce? Cheers, Ed Gerck