Jacob Palme <jpalme(_at_)dsv(_dot_)su(_dot_)se> wrote on 08/06/2002 17:40:17
Why are so few people using either of these security
methods, when they at the same time complain of the
lack of security in e-mail.
It would be trivial for me to turn on S/MIME signing in my MUA, and as the
signing certificate travels with the signed mail item, there is no
receiver certificate look-up required. So far so good. The problem is with
the certificate. At what price do I acquire one, and how confident can a
recipient be of its veracity. I can create my own self-signed root
certificate at no cost (this approach works fine for SSL/TSL based
encryption), but any old forger could also do that. If I physically handed
a correspondent my self-signed root certificate in a face-to-face meeting,
then we'd be all set, but how scalable would this be? The answer is not
very. I could acquire a certificate from a trusted third party (assuming
my correspondents and I could agree on one), but how will this third party
(or their delegate) insure the veracity of my claim. They will have to
operate very stringent controls and at a commensurate cost. So we're
stuck. We know how to employ signing certificates across a single
organization, and how to extend them in a pair-wise fashion (via cross
certificates) to a limited number of other organizations, but beyond that
I would argue we're stuck. Other may disagree. I'd love to be wrong on
this one.
Nick
Nick Shelness
Independent Technology Consultant
Fellow - Differentis Ltd.
Advisor - Oak Investment Partners
Contact Details
Office Tel: +44 (0) 1828 640 632
Office Fax: +44 (0) 1828 640 647
Internet email: nick(_at_)old-mill(_dot_)net
Short message: +44 7753 566460 or page(_at_)old-mill(_dot_)net
AOL instant messaging: NickShelness
MSN instant messaging: nh_shelness(_at_)hotmail(_dot_)com
Yahoo instant messaging: NickShelness
Snail mail: The Old Mill, Meigle, Perthshire, PH12 8TJ, UK