Monday, December 12, 2005

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

James A. Donald wrote:
> > However, the main point of attack is phishing, when
> > an outsider attempts to interpose himself, the man
> > in the middle, into an existing relationship between
> > two people that know and trust each other.
Anne & Lynn Wheeler wrote: 
> in the traditional, ongoing relationship scenario,
> relying parties directly record authentication
> information of the parties they are dealing with. if a
> relying party were to directly record the public key
> of the people they are communicating with ... it is
> the trusting of that public key and the validating of
> associated public key operations that provide for the
> countermeasure for man-in-the-middle attacks and
> phishing attacks.

This was the scenario envisaged when PKI was created,
but I don't see it happening, and in fact attempting to
do so using existing user interfaces is painful. They
don't seem designed to do this.

My product, Crypto Kong, http://echeque.com/Kong was
designed to directly support this scenario in a more
convenient fashion - it keeps a database of past
communications and their associated keys, but there did
not seem to be a lot of interest. I could have made it
more useful, given it more capabilities, but I felt I
was missing the point

James A. Donald

No comments: