[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More FUD from First Virtual



Ed Carp wrote:

| Adam Shostack <[email protected]>
| > jim bell wrote:
| > 
| > [Good points about cost of transactions deleted]
| > 
| > | The answer, I think, it that there would be no problem finding people to
| > | take that risk in exchange for the return, ESPECIALLY if they have some
| > | input into the design (level of security) of the system.  They might insist
| > | on 2048-bit RSA keys, instead of 1024-bit, for example.
| > 
| > 	(I know its only an example, but...)
| > 
| > 	Key length is not what is needed for better security; more
| > solid code and better interfaces are needed.  (I might also argue for
| > hardware keys that are more difficult to steal..)
| 
| Nonsense.  The code is pretty solid, the interfaces aren't very 
| difficult.  What is needed is better human management of keys.  Why 
| brute-force, why look for weak keys, why bother calculating how much 
| safer 2047-bit keys are rather than 1024-bit keys when someone can 
| look on your HD and find your secret key, when they can open your 
| desk drawer and find your pass phrase or password, when they can 
| guess that you used your wife's maiden name as your password?
|
| Adam, I don't understand why you wrote nonsense in the first 
| paragraph, then followed it up with textbook attacks such as:

	I use PGP becuase its pretty good, but if I was going to trust
all my money to it, I'd want better code (especially in key
management.  And the Mac port needs a few man months of work. ;) I
don't know how solid the code is in the ecash client.  I do know that
Netscape & Microsoft can't seem to ship decent code.   (This is a
reflection of the way the industry has evolved; the first system to
require a bigger processor due to creeping featuritis gets the most
market share.   Quality of code seems to be unimportant.)  No flame at
Netscape here; they're doing what the market, conditioned by MS to
never expect bug free code, seems to want.

	Further, the interfaces are not decent.  Ever tried teaching
your mother to use PGP?  I have a lot of smart freinds; a lot of them,
while understanding how easy it is to read mail in transit, haven't
found a PGP front end thats easy enough to use that they will use it.
(This is not an invitation to send me your favorite GUI to PGP
(although if anyone has a web page of all/most of them, with reviews &
comments and maybe even screen shots, I'd like the URL.)

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume