> One difference is that with the identity-based crypto, once a sender > has acquired the software and the CA's public key, he doesn't have to > contact the CA to get anyone's "certificate". He can encrypt to anyone > without having to contact the CA, just based on the email address. > Your proposed substitute doesn't allow for this.
But you don't have to contact the CA to get someone's certificate. A standard way is to send them an email saying "can you send me a signed message?" This also ensures you have the right public key. I haven't studied the details of IBE, but I assume that (a) there may be multiple IBE-based "CA"s, with different parameters, and (b) the identity that's used to encrypt will be not just a name, but a name and a date (to ensure that some revocation-like capability exists). In either case, you can't simply pick the email address and use it as the public key; you need to establish some additional information first. This seems to put us back in the same place as with standard PKI, usability-wise. (Or, rather, there may be a usability delta for IBE, but it's very small). When you add to this the fact that the server knows your decryption key... I really don't see why this is worth getting excited about commercially, or even from an engineering perspective. It's cool maths, though. Cheers, William --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
