On Jan 18, 2013, at 2:04 PM, Jeffrey Walton <[email protected]> wrote:
> On Fri, Jan 18, 2013 at 12:29 PM, Warren Kumari <[email protected]> wrote: >> >> On Jan 18, 2013, at 11:14 AM, ianG <[email protected]> wrote: >> >>> On 17/01/13 05:21 AM, [email protected] wrote: >>>> >>>>> To clarify: I think everyone and everything should be identified by >>>>> their public key,... >>>> >>>> Would re-analyzing all this in a key-centric model rather than >>>> a name-centric model offer any insight? (key-centric meaning >>>> that the key is the identity and "Dan" is an attribute of that >>>> key; name-centric meaning that Dan is the identity and the key >>>> is an attribute of that name) >>> >>> >>> Key-centric works up until a point. It is certainly more elegant and more >>> secure in technical terms, but some assumptions tend to need to be >>> handwaved away to make it workable. >>> >>> Primarily, storing the key and protecting it seems to result in the same >>> old mess -- it has to be stored somewhere safe and kept safe. >> >> … and available. >> >> When you are at one of the hotel "Print your boarding pass here" things here >> and suddenly need your United credentials, or are visiting your granny and >> sudden discover that the great stock tip that your barber gave you last week >> is not actually so great, and need your E-Trade credentials so you can use >> her machine to sell, well…. >> >> Sure, you can store them all in the "cloud" and protect them with… err… a >> username and password and then just download the ones you need and import >> them and… >> Oh, and this needs to be usable by the sort of folk who need help plugging >> in a USB cable… > Dangerous. > Oh, no doubt… > When the US government started its illegal wiretapping campaign, I > understand only one telecom resisted. Here, information was being > provided upon request and not by court order. Will any cloud providers > resist? Ah, I guess I was not clear -- the keys would be encrypted *with your password* somewhere -- "the cloud" was shorthand for "somewhere easily and universally reachable". They would only be decrypted on a local machine (like, you know, the untrusted kiosk!) Yes, this reduces the entire solution to a password ;-) I guess I hadn't selected the sarcasm font when writing this... > > Before someone gets upset, I've been in meetings where folks gasped > when I claimed we should model government as a threat. Well, duh… Isn't basically everything that is not yourself a threat? > When I asked if > its OK for the DoD or an Army analyst to read/analyze State Department > or Diplomatice Security Service traffic, the answer was NO. I took > that to mean they wanted privacy from all parties (including other > agencies), but did not know how to ask for it (and I did not frame it > properly). > W > Jeff > -- Eagles soar but a weasel will never get sucked into a jet engine _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
