Dave Howe wrote: > Indeed so - however, if Google makes it "just work" then there will be > a large swathe of people out there wondering "what does this DIGITAL > SIGNATURE" button do in gmail?" plus a smaller subset who have google > talk and can perform secure e2e voip using x509 certs that they don't > even know they have. > Its not ideal, but its not a bad thing either - a little more > security, using a known method, without any individual user having to > know or care how it works (and lets face facts here, no solution that > requires an end user to get his finger out and do something without > being forced to, no matter how trivial the task is, ever had a decent > update)
the major ISPs are already starting to provide a lot of security software to their customers. a very straight forward one would be if they provided public key software ... to (generate if necessary) and register a public key in lieu of password ... and also support the PPP & radius option of having digital signature authentication in lieu of password checking http://www.garlic.com/~lynn/subpubkey.html#radius at that point your public key is now registered with your ISP ... and possibly could be used for other things as well ... and scaffolding for a certificateless trust infrastructure. in much the same way i've commented about some of the implications of the SSL certificae industry backing for having onfile public keys in the domain name infrastructure (and anybody being able to do real time retrieval of public key) ... something similar could happen with onfile public keys for general public with their ISP (and possibly allowing real time retrieval of public keys). so it would be convenient if such public keys were then integrated with various client email programs as part of the address book (automatic process for adding email addresses to address book, then possibly also automatically add public key as part of the same address book entry). you could then, at least have a button that would cross-check that the public key that came with the email was the same public key onfile with the sender's ISP. it would still be up to the recipient to provide a mapping/binding between an email address and an entity in the real world (if they so desired). the automatic add to the address book ... can work the same way automatic add to address book works today. part of the issue might be considered separating the trust infrastructure from the standard addressing infrastructure. one of the downsides (compared to some of the downsides in the domain name infrastructure onfile public keys) for the certification authority industry ... is that public keys no longer require independent certification ... they just become part of the general addressing landscape. lots & lots of past postings on SSL landscape http://www.garlic.com/~lynn/subpubkey.html#sslcert --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]