At 8:46 AM +0200 8/22/01, Werner Koch wrote:
Don't know what SDA is, but self-decrypting messages are a *very
stupid* idea. You receive such a message from soneone you don't know,
you are not able to check the identity of the sender, otherwise you
would have installed an OpenPGP implemnentation. So what you do is to
allow anyone who is able to send you a message to run arbitrary code
on your box. It may decrypt the message but you don't know what the
code does on the side.
Well, the uses are limited, but they exist. The once or twice a year you
want them, they're nice. Here's a scenario:
Your tax accountant wants the records you have from your consulting
business do they can properly get your deductions done. Said accountant
can't spell PGP. You're not in the mood to drive an hour to get there, and
you're not in the mood to teach the accountant how to do it over the phone
-- it's probably simpler and easier to just drive over there. So you bundle
the thing up in a Windows SDA, and email it to your accountant. Then you
phone the accountant up, tell them the passphrase, and it unpacks your
files for them.
The general scenario is that you want to send a message to someone who
doesn't use crypto, and isn't going to regularly use it.