Cryptography isnt everything and digital signatures is hardly the only
alternative to challenge/response and as has been pointed out many times,
certificates do not provide much more then that somebody went into trouble
of getting it, there just no way any certificate authority can make clear
one-one comparison between real person and digital persona that somebody
else can serious trust (except maybe if they had the person take dna
test and converted his dna profile into digital signature...). For
websites, in reality its not the certificate that makes the difference
its the use of SSL that protects the information being transmitted.
I'm not saying certificates aren't usefull as way of signing things, but
not every email is some legal document that requires a signature and I'd
rather its stay that way.
We should not accept second rate authentication over cryptographic
authentication though. The mailing list attack that I described
earlier is real and has occurred on several occasions to me,
the IETF lists appear to be common targets. Challenge/Response
has a well known couterattack, we should not accept it in preference
to digital signatures.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg