Hi Julien,
On Wednesday 11 May 2005 21:59, Julien Pierre wrote: > Ian G wrote: > >>>but if it is anything like any of a dozen other signing > >>>techs out there, it will probably surprise in how > >>>vulnerable it is. Most signing applications were > >>>put together with so many false assumptions that > >>>they are either unusable or not worth using. Included > >>>in that list is cousins like S/MIME. > > > > You could accuse me of spreading doom and > > gloom and pessimism that there is no solution > > to our woes .... but not FUD. > > Your quote above was the textbook definition of FUD . Negative, vague, > with no actual information regarding the technology you don't like > [S/MIME], only general, unprovable opinion. Negative - sure, no contest :) Vague - "if it is like any of a dozen other signing techs" ... Better off described as a _broad_ statement, I am signalling that signing as a concept is a very difficult area. In other posts I get more specific, but unavoidably, we must start with a recognition that saying "something is signed" is a very broad, non-specific and yes, vague statement when it comes to reliance. S/MIME - see many posts on specific failings of the signing within in this forum (or was it the other security one?) by me at other times. Signing in S/MIME is an area of concern. > I could take your quote > verbatim and say "PGP", and you couldn't prove me wrong one way or the > other . No, but neither would I. PGP signing is also included in the list - its signing capabilities are subject to nearly as much hype and misunderstandings as S/MIME. Here's an example - because we want specifics: In community A, web of trust is done by checking the identity via a photo Id and then signing the owner's key. In community B, web of trust is done by being introduced by name, like Mickey Mouse and then signing the person's key. Yet, there is nothing to differentiate communities A and B in the tech - nor in their statements, and neither even in their knowledge of the other's existence, in general. > See http://en.wikipedia.org/wiki/FUD Fun reading! > > FUD is an abbreviation for Fear, Uncertainty, and Doubt, a sales or > > marketing strategy of disseminating negative but vague or inaccurate > > information on a competitor's product. The term originated to describe > > misinformation tactics in the computer software industry and has since > > been used more broadly. Well, I accept it can be used more broadly, to describe for example any "bad statements about tech." But not accurately. To be accurately applied, it would need to cover a bunch of things: * a competitor's product - specific * statements vague or not backed up * inaccurate statements * misinformation * also don't forget the fear uncertainty doubt part However, my comment was not competitive - I am not proposing a competitor as all or most suck, and you picked PGP as the competitor, not me. It was broad rather than vague. Sure, the two are easy to confuse, but we can drill down into any particular tech to make a difference. And it was accurate, in that there are very few digital signature applications and people out there that actually rely strongly on the digsig tech for the implied purpose - taking some action in a later phase. Revocation is such a one. See what Duane said earlier today - OCSP is going to be turned on this summer by Microsoft. That will be a big test of revocation as a tech that can be used in a multi-phase operation. But until then, and until we see some phishing attacks on CAs that result in revocations, the signatures provided by CAs - a.k.a. certs - are unproven in *reliance* terms. iang PS: today's entry: FUDWatch - VoIP success attracts the security parasites https://www.financialcryptography.com/mt/archives/000466.html -- http://iang.org/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
