[EMAIL PROTECTED] wrote: > How many users can remember MD5 checksums??? If they were rendered into > something pronounceable via S/Key like dictionaries it might be more > useful...
Apologies, last night's answer was too brief to be useful! Here's the more detailed and coffee charged explanation: Printing out a fingerprint allows a PGP-ite to feel comfortable, but we all know there are precious few of those on the planet. So the expected benefit to security is fairly low. We don't get much bang for our buck here, so we're agreed on that point. In reality, the importance of the tool is that it signifies - to me at least - that the browser maufacturers (which I conveniently enlarge to include plug-in makers :) are beginning to address the security failures in secure browsing. In small steps, but they are now facing towards the threat, at least. Maybe. I hope. Also, SSLbar isolates and addresses what I percieve to be a questionable design feature in SSL: the certificate and its delivery as an integral and assumed part of SSL. Here, this tool specifically challenges that feature and allows for out-of-band checking of the certificate. It ignores or supplements the debatable assumption that browsers make: a certificate is good if and only if it is signed by a known CA. That's a good thing, IMHO. Tying the certificate into the core crypto protocol seems to be a poor design choice; outsourcing any certification to a higher layer seems to work much better out in the field. (E.g., PGP, SSH, SOX, Eric B's cryptophone.) -- iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]