|
osdir.com mailing list archive |
|
Subject: RE: Fwd: [IP] A Simpler, More Personal Key to Protect Online Mess ages - msg#00045List: encryption.general> One difference is that with the identity-based crypto, once a sender > has acquired the software and the CA's public key, he doesn't have to > contact the CA to get anyone's "certificate". He can encrypt to anyone > without having to contact the CA, just based on the email address. > Your proposed substitute doesn't allow for this. But you don't have to contact the CA to get someone's certificate. A standard way is to send them an email saying "can you send me a signed message?" This also ensures you have the right public key. I haven't studied the details of IBE, but I assume that (a) there may be multiple IBE-based "CA"s, with different parameters, and (b) the identity that's used to encrypt will be not just a name, but a name and a date (to ensure that some revocation-like capability exists). In either case, you can't simply pick the email address and use it as the public key; you need to establish some additional information first. This seems to put us back in the same place as with standard PKI, usability-wise. (Or, rather, there may be a usability delta for IBE, but it's very small). When you add to this the fact that the server knows your decryption key... I really don't see why this is worth getting excited about commercially, or even from an engineering perspective. It's cool maths, though. Cheers, William --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx Thread at a glance:
Previous Message by Date: click to view message previewRe: Fwd: [IP] A Simpler, More Personal Key to Protect Online MessagesAt 05:30 PM 7/8/2003, Nomen Nescio wrote: One difference is that with the identity-based crypto, once a sender has acquired the software and the CA's public key, he doesn't have to contact the CA to get anyone's "certificate". He can encrypt to anyone without having to contact the CA, just based on the email address. Your proposed substitute doesn't allow for this. True, but how valuable is that, given that you can't send the actual message without contacting a server? I suppose one can construct theoretical scenarios where that's a benefit, but it seems to be a pretty narrow niche to me. > but you don't need goofy new crypto to accomplish it. The Weil pairing hardly constitutes "goofy new crypto". They are doing all kinds of cool stuff with pairings these days, including privacy-enhancing technology such as public keys with built-in forward secrecy. I retract the "goofy". My point was that the market is incredibly reluctant to adopt new technology: if you can solve a problem with components known to the marketplace, you're much more likely to be successful than if you invent something new. This is above and beyond any reluctance to adopt new cryptographic technology based on concerns about security. Even if the Weil pairing is known to be 100% secure and tested, any new solution has to, as a practical matter, leap a huge hurdle to overcome available, well known alternatives. I've spent years attempting to get the market to accept alternative security solutions, and I can testify to how high that hurdle is. In my opinion, identity-based cryptography has insufficient upside to overcome that hurdle, especially given that it is not without its downsides (escrowed private keys, no protection against key compromise). - Tim --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx Next Message by Date: click to view message previewRe: LibTomNet [v0.01]At 05:42 PM 7/8/2003, Thor Lancelot Simon wrote: I believe the Certicom library is somewhere around there in size, and it is a pretty extensive implementation. Costs money though. ;-) IIRC, the embedded SSL library I wrote (with Chris Hawk) at Certicom was < 64K of 68K code (we originally wrote it for PalmOS devices), including all crypto, for a fully-compliant SSL 3.0 & X.509v3 implementation (client-side SSL only, with a profiled subset of SSL ciphersuites and X.509 features, of course). And it could run with a RAM usage of substantially less than 10K/connection. And we wrote it in less than a month (it was our third or fourth time implementing SSL and X.509, though). The complete Certicom library is somewhat bigger, but it's got a lot of flexibility, (modular crypto interface, etc.), and code size wasn't a concern on desktop/server platforms. - Tim --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx Previous Message by Thread: click to view message previewRe: Fwd: [IP] A Simpler, More Personal Key to Protect Online MessagesTim Dierks writes: > I don't think it's an interesting solution. I don't see any interesting > application that's possible with this system which you couldn't do with > existing public-key cryptography: for example, I could write a protocol & > software where you could request a public key from a server for any e-mail > address; if the user didn't already have an enrolled key, my trusted server > would generate one and enroll it on their behalf. When they got an > encrypted message, they could contact me, authenticate themselves, and I'd > send them their secret key. One difference is that with the identity-based crypto, once a sender has acquired the software and the CA's public key, he doesn't have to contact the CA to get anyone's "certificate". He can encrypt to anyone without having to contact the CA, just based on the email address. Your proposed substitute doesn't allow for this. > but you don't need goofy new crypto to accomplish it. The Weil pairing hardly constitutes "goofy new crypto". They are doing all kinds of cool stuff with pairings these days, including privacy-enhancing technology such as public keys with built-in forward secrecy. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx Next Message by Thread: click to view message previewRe: Fwd: [IP] A Simpler, More Personal Key to Protect Online MessagesShow me an enterprise/person who would like to have their private keys escrowed by a third-party, with all the liability/collusion/blackmail potential that goes with it, and I'll show you a client for VS. There are IMO many (and better) schemes when you want your private keys to be known by a TTP. Including PKI. Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx Loading Comments...
|
|
