Re: Help spread strong cryptography now!

Unruh wrote:

You can think this as a type of email address verification used in
issuing class 1 certificate. If you go to VeriSign to apply for a class
1 digital ID to be used for secure email, they really just send you
some secret to your email address and verify that you can receive it.
The one-time password verification is no more and no less, about the
same security level as class 1 certificate.

Complete horse ***. What they do is to verify that you are who you claim
to be. They then sign your PUBLIC key which you sent them, to verify that
that public key belongs to the person it claims to belong to . THEY do NOT
generate a key for you. You do that yourself with whatever software you
want to use.

In class 1 certificate application, they do not verify who you are (you
do not have send a copy of your driver's license to them). They only
verify that your can receive some secret sent to your email address.
EaSecure software generates public/private keys on your computer. Just
like PGP software does. You private key never leaves your computer.
Only the public key is sent to the server for issuing certificates. The
server will only issues certificates after verifying the one-time
password - which is a way to verify that you can receive an email sent
to your email address. This is the same verification used in issuing
class 1 certificate.

.