One difference is that with the identity-based crypto, once a sender has acquired the software and the CA's public key, he doesn't have to contact the CA to get anyone's "certificate". He can encrypt to anyone without having to contact the CA, just based on the email address. Your proposed substitute doesn't allow for this.
True, but how valuable is that, given that you can't send the actual message without contacting a server? I suppose one can construct theoretical scenarios where that's a benefit, but it seems to be a pretty narrow niche to me.
> but you don't need goofy new crypto to accomplish it.
The Weil pairing hardly constitutes "goofy new crypto". They are doing all kinds of cool stuff with pairings these days, including privacy-enhancing technology such as public keys with built-in forward secrecy.
I retract the "goofy". My point was that the market is incredibly reluctant to adopt new technology: if you can solve a problem with components known to the marketplace, you're much more likely to be successful than if you invent something new. This is above and beyond any reluctance to adopt new cryptographic technology based on concerns about security.
Even if the Weil pairing is known to be 100% secure and tested, any new solution has to, as a practical matter, leap a huge hurdle to overcome available, well known alternatives. I've spent years attempting to get the market to accept alternative security solutions, and I can testify to how high that hurdle is. In my opinion, identity-based cryptography has insufficient upside to overcome that hurdle, especially given that it is not without its downsides (escrowed private keys, no protection against key compromise).
- Tim
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
