Peter Davidson sez:
This is the famed "key distribution problem."
With public key methods, this problem is largely solved. Each person can generate his or her own key, publish the public key part of it, and be done with it.
It's not that simple. Terry Ritter has pointed out on sci.crypt that the problem with PGP is the validation of public keys used. In other words, the security hole in the use of PGP is not in the encryption methods used, or in the use of PGP itself, but in the possibility of being duped by someone (or some nefarious federal agency) spreading bogus public keys. It's not enough to have a public key which you believe is the public key of a person you wish to communicate securely with - you also have to be sure that the private key which corresponds to this public key is known only to that person, in other words, that the public key really did come from the person you believe it came from. If you get the (presumed) public key of some person X from some directory of public keys, or from some third party, how can you be sure it didn't originate with someone who wants to monitor all the encrypted messages being sent to X? Terry Ritter has explained how a third party can place themselves in the middle of encrypted communications between two people using PGP and monitor everything they say to each other - and this without having to crack RSA or IDEA.
Ah, yes. The man in the middle again. If a protocol existed that could guarantee detection of the man in the middle, then it would only need be used once with each conversant to exchange public keys reliably. The whole problem of public key distribution would then be solved. As many of you know, I believe such a protocol exists. :-) Without this detection capability in some form, public key has few advantages except that you only need one of them. A signfigant advantage, I admit but it doesn't seem to solve anything. Exchanging keys between point A and point B requires a chain of trust with no possibility of a man in the middle, not the sort of thing people want to mess with. Peace, Bob -- Bob Cain rcain@netcom.com 408-354-8021 "I used to be different. But now I'm the same." --------------PGP 1.0 or 2.0 public key available on request.------------------