Bob Jueneman wrote:
> Let's put this problem in perspective, and try to avoid the "chicken little, the sky
>is falling" syndrome.
>
> It's quite unlikely that someone would come up with "Eureka!" type of solution to
>factoring large numbers that would end up completely breaking RSA, or that some way
>would be found to completely break the integrity of SHA-1.
Well said. SHA-1 works as a many-to-one function and this alone makes it impossible to
break if
well applied. Simply, no global inverse function exists for a many-to-one function
(even
though a local inverse may exist, but in this case SHA-1 would not have been well
applied).
This is a mathematical fact. Matters with RSA are still unproven, though, but it is
not probable
that it will be broken any time soon in a wide scale.
However, this is not what concerns me at all. PKI is the problem. It does not work
and it
will not work on a global scale. E-commerce itself has moved away from PKI for no
other
reason.
The problem then is the E-sign Act and state legislation following on its heels, which
not only blurs IMO what a digital signature is but also does not deal adequately with
the
liability issues for the different parties involved.
In this scenario, what if we see a blind push for a global PKI and also include
non-repudiation
as an "absolute authentication" based on some mythical "trusted machines" -- as has
been
suggested recently in the good name of e-commerce?
Cheers,
Ed Gerck
