Re: Opinions of Digital Signing of Email & Encryption
From: Kent W. England [MVP] (kwe@mvps.org)
Date: 06/06/02
- Next message: Ned Flanders: "Re: NT4 share question."
- Previous message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: NT4 share question."
- In reply to: Justin D: "Re: Opinions of Digital Signing of Email & Encryption"
- Next in thread: S. Pidgorny [MVP]: "Re: Opinions of Digital Signing of Email & Encryption"
- Reply: S. Pidgorny [MVP]: "Re: Opinions of Digital Signing of Email & Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kent W. England [MVP]" <kwe@mvps.org> Date: Thu, 6 Jun 2002 08:33:56 -0700
Compare the Verisign or, say, a DoD scheme, which is centrally
controlled and administered, to the PGP "web of trust" model. The
workload is applied in different places.
The question was a general question and I gave a general answer. The
poster was focused on the algorithms and my point is that you have to
consider the administration, as always, before you get a clear picture.
I recall a recent incident where Verisign gave a Microsoft certification
to some hackers who then briefly distributed software, IIRC. The hackers
cracked the Verisign administration. Any user would have had absolutely
no way of knowing (outside of out-of-band channels such as the mass
media) that the certificate was bad, since it wasn't.
There is absolutely no reason to trust Verisign. I prefer the PGP web of
trust model, since I can build and maintain that myself. But we can have
both.
-- Kent W. England, MS MVP for Windows XP (Please respond only in the newsgroup) Justin D <reply@to.group> posted the following: > I don't suppose you could give an example of a series of events which > would give assurance, eg Verisign plus secure private keys and > current 'class 1' certification.... :) > > J Dutoit > > "Kent W. England [MVP]" <kwe@mvps.org> wrote in message > news:eIIc66PDCHA.1732@tkmsftngp02... >> For the public key infrastructure, that is entirely a matter of the >> way that the keys are stored, delivered, recovered, and repudiated, >> and how clients interact with key servers to retrieve public keys. >> >> It is also a matter of how keys are created. If there is no >> authentication of identity, then all you know is that someone sent >> one or more email messages, but you don't know who they are. >> >> -- >> Kent W. England, MS MVP for Windows XP >> (Please respond only in the newsgroup) >> >> Justin D <reply@to.group> posted the following: >> >>> My mistake- are digitally signed emails '100%' safe, is there any >>> way at all that hackers could imitate a 'trusted' person, the way >>> they abuse ActiveX controls marked safe, and misuse them. >>> >>> Tks >>> J Dutoit >>> P.S. Rupam Phukan's message had an expired digital ID, if it >>> matters. >>> >>> "S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message >>> news:O3WySwGDCHA.1576@tkmsftngp04... >>>> Please elaborate? >>>> >>>> -- >>>> Svyatoslav Pidgorny, MS MVP, MCSE >>>> -= F1 is the key =- >>>> >>>> "Justin D" <reply@to.group> wrote in message >>>> news:uKcwP2FDCHA.2212@tkmsftngp02... >>>>> Is this safe from hackers/spammers/etc.. >>>>> >>>>> Ta >>>>> J Dutoit
- Next message: Ned Flanders: "Re: NT4 share question."
- Previous message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: NT4 share question."
- In reply to: Justin D: "Re: Opinions of Digital Signing of Email & Encryption"
- Next in thread: S. Pidgorny [MVP]: "Re: Opinions of Digital Signing of Email & Encryption"
- Reply: S. Pidgorny [MVP]: "Re: Opinions of Digital Signing of Email & Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
