Re: Opinions of Digital Signing of Email & Encryption

From: Kent W. England [MVP] (kwe@mvps.org)
Date: 06/06/02


From: "Kent W. England [MVP]" <kwe@mvps.org>
Date: Thu, 6 Jun 2002 08:33:56 -0700


Compare the Verisign or, say, a DoD scheme, which is centrally
controlled and administered, to the PGP "web of trust" model. The
workload is applied in different places.

The question was a general question and I gave a general answer. The
poster was focused on the algorithms and my point is that you have to
consider the administration, as always, before you get a clear picture.

I recall a recent incident where Verisign gave a Microsoft certification
to some hackers who then briefly distributed software, IIRC. The hackers
cracked the Verisign administration. Any user would have had absolutely
no way of knowing (outside of out-of-band channels such as the mass
media) that the certificate was bad, since it wasn't.

There is absolutely no reason to trust Verisign. I prefer the PGP web of
trust model, since I can build and maintain that myself. But we can have
both.

--
Kent W. England, MS MVP for Windows XP
(Please respond only in the newsgroup)
Justin D <reply@to.group> posted the following:
> I don't suppose you could give an example of a series of events which
> would give assurance, eg Verisign plus secure private keys and
> current 'class 1' certification.... :)
>
> J Dutoit
>
> "Kent W. England [MVP]" <kwe@mvps.org> wrote in message
> news:eIIc66PDCHA.1732@tkmsftngp02...
>> For the public key infrastructure, that is entirely a matter of the
>> way that the keys are stored, delivered, recovered, and repudiated,
>> and how clients interact with key servers to retrieve public keys.
>>
>> It is also a matter of how keys are created. If there is no
>> authentication of identity, then all you know is that someone sent
>> one or more email messages, but you don't know who they are.
>>
>> --
>> Kent W. England, MS MVP for Windows XP
>> (Please respond only in the newsgroup)
>>
>> Justin D <reply@to.group> posted the following:
>>
>>> My mistake- are digitally signed emails '100%' safe, is there any
>>> way at all that hackers could imitate a 'trusted' person, the way
>>> they abuse ActiveX controls marked safe, and misuse them.
>>>
>>> Tks
>>> J Dutoit
>>> P.S. Rupam Phukan's message had an expired digital ID, if it
>>> matters.
>>>
>>> "S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
>>> news:O3WySwGDCHA.1576@tkmsftngp04...
>>>> Please elaborate?
>>>>
>>>> --
>>>> Svyatoslav Pidgorny, MS MVP, MCSE
>>>> -= F1 is the key =-
>>>>
>>>> "Justin D" <reply@to.group> wrote in message
>>>> news:uKcwP2FDCHA.2212@tkmsftngp02...
>>>>> Is this safe from hackers/spammers/etc..
>>>>>
>>>>> Ta
>>>>> J Dutoit


Relevant Pages

  • Re: RSA vs AES
    ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
    (sci.crypt)
  • Re: Huge discrepancy in "standards" of risk evaluation for theory vs. for practice in cryptology
    ... site's Verisign cert, or its Thawte cert, or its Hells Angels cert, ... Assume you have a certain amount of trust in an e-commerce vendor. ... CA issued the certificate for that e-commerce vendor) and avoid the ...
    (sci.crypt)
  • Re: http://www.cerberus-sys.com/~belleisl/infosec.html
    ... an attack that worked with only 2**-64 keys and the work factor was 2**64. ... The web site also has some seriously out of date errors on how long it takes ... keyspace of DES ... Thawte or Verisign have a long history of honest dealing. ...
    (sci.crypt)
  • Re: Has anyone really cracked anything recently?
    ... Well, Microsoft trusted them, and given how much Microsoft stood to lose ... Verisign _did_ screw up, ... For higher security, I've always preferred PGP instead, as I don't need ... or trust a third party to manage any part of my key structure. ...
    (sci.crypt)
  • Re: Opinions of Digital Signing of Email & Encryption
    ... > I recall a recent incident where Verisign gave a Microsoft certification ... > to some hackers who then briefly distributed software, ... > cracked the Verisign administration. ... > trust model, since I can build and maintain that myself. ...
    (microsoft.public.security)