ietf-asrg
[Top] [All Lists]

RE: [Asrg] Challenge to Challenge response

2003-04-22 12:12:39
        S/MIME gives a much higher degree of assurance that 
the message is
from an authentic recipient than C/R with zero UI overhead. 
If you whitelist
after the initial C/R you have a very weak authorization system.

Why would it be weak?

Because the subsequent whitelisted messages are not authenticated, the
credential is not bound to the message.


If during the challenge response system keys were exchanged (if the 
challenge were met) so that I could verify through a digital 
signature that 

OK you are now describing the standard scheme for C/R authentication used in
certificate enrollment. You do that once and the credential can then be used
anywhere.

This problem does not require CA issued certs.


So given that a challenge response system could be set up 
complete with 
cryptographic authentication, it should be very secure.  
Where am I wrong?

Your system becomes a variant of the existing cryptographic authentication
schemes in use and in development.


You mention that Outlook and Lotus already have S/Mime 
already in place. 
Are you also saying that because if this, I get spammed since 
I am using 
Eudora and that Outlook and Lotus users do not?

The Eudora people have a problem, Quallcomm has no interest in developing
the product. They have no interest in supporting long established
specifications like S/MIME. Therefore it is unfortunately only a matter of
time before that product becomes obsolete and dies. Sorry, there is nothing
I can do when a product vendor abandons their product like that.

I have discussed the issue with Qualcomm directly they are not interested in
any ongoing product development, whether to stop spam or anything else.


                Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg