Re: Opinions of Digital Signing of Email & Encryption

From: Kent W. England [MVP] (kwe@mvps.org)
Date: 06/06/02


From: "Kent W. England [MVP]" <kwe@mvps.org>
Date: Thu, 6 Jun 2002 08:33:56 -0700


Compare the Verisign or, say, a DoD scheme, which is centrally
controlled and administered, to the PGP "web of trust" model. The
workload is applied in different places.

The question was a general question and I gave a general answer. The
poster was focused on the algorithms and my point is that you have to
consider the administration, as always, before you get a clear picture.

I recall a recent incident where Verisign gave a Microsoft certification
to some hackers who then briefly distributed software, IIRC. The hackers
cracked the Verisign administration. Any user would have had absolutely
no way of knowing (outside of out-of-band channels such as the mass
media) that the certificate was bad, since it wasn't.

There is absolutely no reason to trust Verisign. I prefer the PGP web of
trust model, since I can build and maintain that myself. But we can have
both.

--
Kent W. England, MS MVP for Windows XP
(Please respond only in the newsgroup)
Justin D <reply@to.group> posted the following:
> I don't suppose you could give an example of a series of events which
> would give assurance, eg Verisign plus secure private keys and
> current 'class 1' certification.... :)
>
> J Dutoit
>
> "Kent W. England [MVP]" <kwe@mvps.org> wrote in message
> news:eIIc66PDCHA.1732@tkmsftngp02...
>> For the public key infrastructure, that is entirely a matter of the
>> way that the keys are stored, delivered, recovered, and repudiated,
>> and how clients interact with key servers to retrieve public keys.
>>
>> It is also a matter of how keys are created. If there is no
>> authentication of identity, then all you know is that someone sent
>> one or more email messages, but you don't know who they are.
>>
>> --
>> Kent W. England, MS MVP for Windows XP
>> (Please respond only in the newsgroup)
>>
>> Justin D <reply@to.group> posted the following:
>>
>>> My mistake- are digitally signed emails '100%' safe, is there any
>>> way at all that hackers could imitate a 'trusted' person, the way
>>> they abuse ActiveX controls marked safe, and misuse them.
>>>
>>> Tks
>>> J Dutoit
>>> P.S. Rupam Phukan's message had an expired digital ID, if it
>>> matters.
>>>
>>> "S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
>>> news:O3WySwGDCHA.1576@tkmsftngp04...
>>>> Please elaborate?
>>>>
>>>> --
>>>> Svyatoslav Pidgorny, MS MVP, MCSE
>>>> -= F1 is the key =-
>>>>
>>>> "Justin D" <reply@to.group> wrote in message
>>>> news:uKcwP2FDCHA.2212@tkmsftngp02...
>>>>> Is this safe from hackers/spammers/etc..
>>>>>
>>>>> Ta
>>>>> J Dutoit