Re: public-key: the wrong model for email?

On Thu, Sep 16, 2004 at 12:05:57PM -0700, Ed Gerck wrote: | >Adam Shostack wrote: | > | >I think the consensus from debate back last year on | >this group when Voltage first surfaced was that it | >didn't do anything that couldn't be done with PGP, | >and added more risks to boot. | | Voltage actu

Re: public-key: the wrong model for email?

On Thu, Sep 16, 2004 at 06:12:48PM +0100, Ian Grigg wrote: | Adam Shostack wrote: | >Given our failure to deploy PKC in any meaningful way*, I think that | >systems like Voltage, and the new PGP Universal are great. | | I think the consensus from debate back last year on | this group when Voltage

Re: public-key: the wrong model for email?

At 10:19 PM 9/15/2004, Ed Gerck wrote: Yes, PKC provides a workable solution for key distribution... when you look at servers. For email, the PKC solution is not workable (hasn't been) and gives a false impression of security. For example, the sender has no way of knowing if the recipient's key is

Re: public-key: the wrong model for email?

Adam Shostack wrote: On Thu, Sep 16, 2004 at 12:05:57PM -0700, Ed Gerck wrote: | >Adam Shostack wrote: | > | >I think the consensus from debate back last year on | >this group when Voltage first surfaced was that it | >didn't do anything that couldn't be done with PGP, | >and added more risks to bo

Symantec to acquire @Stake

The San Jose Mercury News Posted on Thu, Sep. 16, 2004 Symantec to acquire digital security company CUPERTINO, Calif. (AP) - Symantec Corp. said Thursday it is acquiring digital security consu

Register: Symantec snags @stake

The Register Biting the hand that feeds IT The Register » Business » Financial News » Original URL: http://www.theregister.co.uk/2004/09/17/symantec_buys_atstake/ Symantec snags @stake By John Leyden (john.leyden at

How to implement a self-destructing message.

Bill Stewart wrote: I don't understand the threat model here. The usual models are ... - Recipient's Computer Disk automatically backed up to optical storage at night - No sense subpoenaing cyphertext when you can subpoena plaintext. In terms of threats actually seen in the real world lead

Re: public-key: the wrong model for email?

At 05:35 PM 9/16/2004, Adam Shostack wrote: Generate a key for "[EMAIL PROTECTED]" encrypt mail to Bob to that key. When Bob shows up, decrypt and send over ssl. note there is still the issue of knowing it is bob ... whether before the "transmission" or after the "transmission" and, in fact

Re: public-key: the wrong model for email?

On Thu, Sep 16, 2004 at 04:57:39PM -0700, Bill Stewart wrote: > At 10:19 PM 9/15/2004, Ed Gerck wrote: > >Yes, PKC provides a workable solution for key distribution... when you > >look at servers. For email, the PKC solution is not workable (hasn't been) > >and gives a false impression of security.

Re: public-key: the wrong model for email?

lrk wrote: Perhaps it is time to define an e-mail definition of crypto to keep the "postman" from reading the "postcards". That should be easy enough to implement for the average user and provide some degree of privacy for their mail. Call it "envelopes" rather than "crypto". Real security require

[Openswan dev] [Announce] Openswan 2.2.0 released

--- begin forwarded text Date: Fri, 17 Sep 2004 17:48:25 +0200 (MET DST) From: Paul Wouters <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Openswan dev] [Announce] Openswan 2.2.0 released List-Id: Openswan developer mailinglist List-Archive: List-P

Re: public-key: the wrong model for email?

Bill Stewart wrote: At 10:19 PM 9/15/2004, Ed Gerck wrote: Yes, PKC provides a workable solution for key distribution... when you look at servers. For email, the PKC solution is not workable (hasn't been) and gives a false impression of security. For example, the sender has no way of knowing if th

Re: public-key: the wrong model for email?

On Fri, Sep 17, 2004 at 07:35:09PM +0100, Ian Grigg wrote: > Oh, that's really easy. Each mailer (MUA) should (on > install) generate a self-signed cert. Stick the fingerprint apt-get install postfix-tls Allright, this still doesn't generate the certs, nor reference them in the main.cf. > in

Re: [anonsec] Re: potential new IETF WG on anonymous IPSec (fwd from [EMAIL PROTECTED]) (fwd from [EMAIL PROTECTED])

In message <[EMAIL PROTECTED]>, Ian Grigg writes: >Peter Gutmann wrote: >> "Steven M. Bellovin" <[EMAIL PROTECTED]> writes: Maybe it's worth doing some sort of generic RFC for this security model to avoid scattering the same thing over a pile of IETF WGs, >>> >>>Sounds good. Who wants to