Adam Shostack wrote:
Given our failure to deploy PKC in any meaningful way*, I think that
systems like Voltage, and the new PGP Universal are great.

I think the consensus from debate back last year on this group when Voltage first surfaced was that it didn't do anything that couldn't be done with PGP, and added more risks to boot. So, yet another biz idea with some hand wavey crypto, which is great if it works, but it's not necessarily security.

* I don't see Verisign's web server tax as meaningful; they accept no
liability, and numerous companies foist you off to unrelted domains.
We could get roughly the same security level from fully opportunistic
or memory-oportunistic models.

Yes, or worse; it turns out that Verisign may very well be the threat as well as the solution. As I wrote here:

http://www.financialcryptography.com/mt/archives/000206.html

Verisign are in the eavesdropping business, which
not only calls into doubt their own certs, but also
all other CAs, and the notion of a trusted third
party as a workable concept.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to