ianG wrote:

[Hushmail design] isn't perfect but it was a whole lot better than futzing around with OpenPGP keys and manual decrypting. And it was the latter 'risk' view that won, Hushmail filled that niche between the hard core pgp community, and the people who did business and needed an easy tool.

Don't be suspicious, be curious -- this is where security is at.

Human rights reporters already put their life on the line. Your mission is not to protect their life absolutely,

One design aspect seems missing from the high-level discussion: how do you define the security mechanism failure mode? You have basically two options: connect with an insecure protocol, or do not connect at all. If it's a life-preserving application, this question should be addressed explicitly. A "fail safe" system may be either way, but stakeholders should know which way. Airplane pilots are trained according to the failure mode of each aircraft subsystem. E.g. if two-way radio fails, the pilot may remain confident (from an indication on the cockpit) that the air traffic controller (ATC) still sees the aircraft identifier on the radar (see Wikipedia entry for transponder) during the emergency landing. Thus the decision to land at the major airport (instead of a secondary airport with less traffic in conflict but lower grade facilities) is taken based on the "fail-safe" property of the aircraft-to-ATC communications subsystem. Regards, -- - Thierry Moreau _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE