M Taylor wrote: > The UK Communications-Electronics Security Group (CESG), the "defensive" > arm of the GCHQ, have published details about another PKC concept, > identity-based PKC, where every user's public key are predetermined by an > unique identifier, such as email address. It does use a(/two) trusted > server(s), but might be viewed as an easier to use infrastructure than > tranditional PKI in some situations. Skipping over the quadratic residuosity, as I read the powerpoints, the "Authority(ies)" create the private keys for users in response to "Hello, I'm Bob" identity proofs (unspecified). Then the private key is transmitted to alleged-Bob for use in private communication with Alice, et al. How is this different from classic key escrow? It would appear that even if the"Authority" forgot Bob's private key they always have the information to regenerate it. Even the discussion of "split authorities" (slides 48 ff) is eerily reminiscent of earlier proposed risk mitigation strategies for key escrow agents. Paul --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]