Anders Rundgren wrote:
Ian G wrote:
=> Encrypting/signing must be made a business requirement in contracts.
That's the whole point. And there's no technical solution for it.
That's as close to a perfect dilemma as I've come across! It's not a
business requirement, so we must make it a business requirement ...
Another alternative is to
Anders, still you fail to see the real problems since you propose
technical solutions for non-technical issues.
But let's see:
1. abandon non-scalable trust infrastructures such as the one required by
S/MIME
Why "non-scalable"? Can you be more verbose?
2. abandon schmes that use explicit encryption keys like S/MIME
Are you aware of the requirements for separate encryption keys? Some
companies have the legal requirements for key escrow in litigation
cases. That's the main reason why encryption and signature keys are
separated.
3. introduce secure mobile secure key-storage
Ah, yeah. Did you ever think of a growing key history and such?
4. put the latter in cell phones
Even cell phones can break. And I don't consider them to be trustworthy
key stores
1. with all the control the cell phone provider has over them,
2. all the gadgets installed with security issues,
3. with the limited data storage size on today's SIM cards.
And the main point: You fail to explain how trust is to be established.
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto