I'm not quite sure I'm reading this correctly, but just in case... On 02/09/14 17:02, Leo Vegoda wrote: > Handing out cryptographic identity certificates or similar to people > who do not understand the risks or benefits and do not have a > suitable key management framework doesn't seem a great idea to me.
If this list concludes that an Internet-scale key management framework is required where all key holders are strongly authenticated before they get any functional benefit, then that makes life easy - we have 20+ years of evidence that there's no point in bothering to try construct that;-) Similarly, if the list concludes that users have to understand keys then that's also easy - we know that will never happen and so could also call it a day. Luckily I don't think most folks are making those mistakes but we really shouldn't spend any more time than absolutely needed on discussion that assumes that the Internet only has strongly authenticated keys or only has users who understand cryptographic keys. If someone reading this is not convinced already, please mail me offlist and I'll try set you right, but let's not reinvent X.400 email security here please? (Or PEM, or MOSS, or S/MIME or PGP or STANAG 4406 or the various national or proprietary variations etc.) S. _______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
