James A. Donald wrote:
SSL works in practice, X509 with CA certs does not work
in practice. People have been bullied into using it by
their browsers, but it does not give the protection
intended, because people do what is necessary to avoid
being nagged by browsers, not what is necessary to be
secure.
Indeed so - however, if Google makes it "just work" then there will be a
large swathe of people out there wondering "what does this DIGITAL SIGNATURE"
button do in gmail?" plus a smaller subset who have google talk and can perform
secure e2e voip using x509 certs that they don't even know they have.
Its not ideal, but its not a bad thing either - a little more security, using
a known method, without any individual user having to know or care how it works
(and lets face facts here, no solution that requires an end user to get his
finger out and do something without being forced to, no matter how trivial the
task is, ever had a decent update)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
