On Tue, Sep 02, 2014 at 05:22:16PM +0100, Stephen Farrell wrote: > > I'm not quite sure I'm reading this correctly, but just in > case... > > On 02/09/14 17:02, Leo Vegoda wrote: > > Handing out cryptographic identity certificates or similar to people > > who do not understand the risks or benefits and do not have a > > suitable key management framework doesn't seem a great idea to me. > > If this list concludes that an Internet-scale key management > framework is required where all key holders are strongly > authenticated before they get any functional benefit, then > that makes life easy - we have 20+ years of evidence that > there's no point in bothering to try construct that;-)
That's not quite what I meant. What I meant is that if there is an authority handing out certificates then it should do so in a responsible way. Cryptographic certificates are sufficiently different from photographic identity documents that pre-existing assumptions need to be changed to avoid disappointment. This does not need to be hierarchical but it does need some infrastructure support and either some really outstandingly good user interface design or education. If users receive encrypted e-mail and then loose the corresponding private key then they loose the ability to read old messages. People working for organizations handing out X.509 certificates for S/MIME use get training and their keys might well be escrowed. But ordinary individuals are unlikely to get training and they do expect to be able to read old e-mails. I think this is the sort of basic usability issue that requires some kind of user friendly key management. Whether it needs to be Internet-scale - well I don't know - but it needs to be good enough that the key is reasonably secure if a laptop or tablet is lost or stolen. I expect that in most cases strong authentication is not required but people will need some kind of mechanism for evaluating how much trust to assign a new key they have not seen before and that will also require some kind of education or another superb user interface. Most people will be new to cryptography and will need some help. Leo _______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
