RE: Verifying Anonymity
>> [...] I find it hard to imagine how you >> can even know whether it "seems to work", let alone has some subtle >> problem. > >That's clearly a much harder problem--and indeed I suspect it's behind >the general lack of interest that the public has shown in anonymous >systems. > >-Ekr The lack of understanding of how a solution works applies to most security products and in general to all computer products. Most people don't have a clue how an SSL encrypted session really protects your credit card number in transit, but allot of people are starting to realize that they should use it (they understand to some extent the problem SSL attempts to solve). With anonymity systems, I don't think understanding how a solution works is a problem to its wide-spread use, the problem is more that of understanding the *problem the solution attempts to solve*. People still don't understand the consequences of privacy invasion on the Internet (the problem). Once they do, they will be willing to pay for a solution from any trusted company, without needing to understand how the solution actually works. IMHO... --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Verifying Anonymity
Ben Laurie <[EMAIL PROTECTED]> writes: > The recent conversation on SSL where Eric Rescorla was lampooned for > saying (in effect) "I've tried it on several occasions and it seemed > to work, therefore it must be trustworthy" to which he responded > "actually, that's a pretty reasonable way of assessing safety in > systems where there's no attacker specifically targeting you" prompted > me to ask this ... if a system claims to give you anonymity, how do > you (as a user) assess that claim? I find it hard to imagine how you > can even know whether it "seems to work", let alone has some subtle > problem. That's clearly a much harder problem--and indeed I suspect it's behind the general lack of interest that the public has shown in anonymous systems. -Ekr - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Verifying Anonymity
The recent conversation on SSL where Eric Rescorla was lampooned for saying (in effect) "I've tried it on several occasions and it seemed to work, therefore it must be trustworthy" to which he responded "actually, that's a pretty reasonable way of assessing safety in systems where there's no attacker specifically targeting you" prompted me to ask this ... if a system claims to give you anonymity, how do you (as a user) assess that claim? I find it hard to imagine how you can even know whether it "seems to work", let alone has some subtle problem. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]