Alex Alten wrote:
> At 05:12 PM 2/26/2006 +0000, Ben Laurie wrote:
>> Alex Alten wrote:
>>> At 02:59 PM 2/24/2006 +0000, Ben Laurie wrote:
>>>> Ed Gerck wrote: We have keyservers for this
(my chosen
>>>> technology was PGP). If you liken their use
to looking up an
>>>> address in an address book, this isn't
hard for users to grasp.
>>>>
>>>
>>> I used PGP (Enterprise edition?) to encrypt my
work emails to a
>>> distributed set of members last year. We all
had each other's
>>> public keys (about a dozen or so).
>>>
>>> What I really hated about it was that when
fred company.com sent
>>> me an email often I couldn't decrypt it. Why?
Because his
>>> firm's email server decided to put in the FROM
field
>>> "fredserver.company.com".
Since it didn't match the email name
>>> in his X.509 certificate's DN it wouldn't
decrypt the S/MIME
>>> attachment. This also caused problems with
replying to his email.
>>> It took us hours, with several experimental
emails sent back and
>>> forth, to figure out the root of the problem.
>>>
>>> No wonder PKI has died commercially and
encrypted email is on the
>>> endangered species list.
>>
>> I trust you don't think this is a problem with
PKI, right? Since
>> clearly the issue is with the s/w you were using.
>
> I place the blame squarely on X.509 PKI. The identity
aspect of it
> is all screwed up. No software implementation can
overcome such a
> fundamental architectural flaw.
OK - I'll bite - why does the sender's identity have any
impact on the
recipient's ability to decrypt?
Cheers,
Ben.
--
http://www.apache-
ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
|