On Tuesday 10 May 2005 11:47, Jean-Marc Desperrier wrote: > Ram A Moskovitz wrote:
> What if I say Bruce Schneier also says similar things ? > "Identification and Security" > http://www.schneier.com/crypto-gram-0402.html#6 Right, Bruce is one of those who figured out that there were fundamental flaws in the way of doing things. He wrote a relatively famous recant of his big red book's philosophy when he discovered that security was risk-based, not absolute. That changes everything... Others include Geer, Rivest, Gutmann, JKW, Clarke, Davis, Ellison, Wheeler, Brands, Shamir, ... the list of articles and academic literature is quite long, but the problem with all the writings is that they only tear down one or two parts of the puzzle each. The champion of those who think the PKI architecture is A-OK is probably Whitfield Diffie. He seems to be the only vocal defender of PKI these days. I feel however a bit embarrassed to sink this discussion to the level of naming well known names. Surely the ideas should be compelling and solid enough that the security speaks for itself? No, apparently not, it appears that because the concepts of PKI cross different disciplines, the killer assumptions in one area become accepted gospel in another area; accountants do not know how to challenge digital signatures, and programmers do not know how to challenge separations of roles. (As a sort of embarrassing example, even though my own work is quite strong in the use of digital sigs in contract signing, it was only in the last couple of years that I discovered that non-repudiation was a nonsense.) iang -- http://iang.org/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
