Ian G wrote: > Steven M. Bellovin wrote: >> On Mon, 12 Feb 2007 17:03:32 -0500 >> Matt Blaze <[EMAIL PROTECTED]> wrote: >> >>> I'm all for email encryption and signatures, but I don't see >>> how this would help against today's phishing attacks very much, >>> at least not without a much better trust management interface on >>> email clients (of a kind much better than currently exists >>> in web browsers). >>> >>> Otherwise the phishers could just sign their email messages with >>> valid, certified email keys (that don't belong to the bank) >>> the same way their decoy web traffic is sometimes signed with >>> valid, certified SSL keys (that don't belong to the bank). >>> >>> And even if this problem were solved, most customers still >>> wouldn't know not to trust unsigned messages purporting >>> to be from their bank. >>> >> >> Precisely. The real problem is the human interface, where we're asking >> people to suddenly notice the absence of something they're not used to >> seeing in the first place. > > > Actually, there are many problems. If you ask the low-level crypto > guys, they say that the HI is the problem. If you ask the HI guys, they > say that the PKI concept is the problem. If you ask the PKI people, > they say the users are not playing the game, and if you ask the users > they say the deployment is broken ... Everyone has got someone else to > blame. > > They are all right, in some sense. The PKI concepts need loosening up, > emails should be digsig'd for authentication (**), and the HI should > start to look at what those digsigs could be used for. > > But, until someone breaks the deadly embrace, nothing is going to > happen. That's what James is alluding to: what part can we fix, and > will it help the others to move? > > iang > > ** I didn't say digital signing ... that's another problem that needs > fixing before it is safe to use, from the "ask the lawyers" basket.
Perfectly safe to use in the UK. But sorry, I forgot that only the US exists. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]