Ian G wrote: >> => Encrypting/signing must be made a business requirement in contracts. >> That's the whole point. And there's no technical solution for it.
>That's as close to a perfect dilemma as I've come across! It's not a >business requirement, so we must make it a business requirement ... Another alternative is to 1. abandon non-scalable trust infrastructures such as the one required by S/MIME 2. abandon schmes that use explicit encryption keys like S/MIME 3. introduce secure mobile secure key-storage 4. put the latter in cell phones I'm currently working with 3 and 4. http://keycenter.webpki.org/javadoc/keystore/phone/keystore/crypto/VirtualSE.html http://webpki.org/papers/keygen2/keygen-all-protocol-steps.html The schemes we have today where the majority of users do not have a mobile key-store is impossible for large-scale use of two-factor authentication. Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto