[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
An open letter to Commtouch
Hi Commtouch people,
I am intrigued and hopeful about your secure e-mail product, Pronto
Secure. However, I am puzzled about its support for POTP encryption.
The other encryption protocols (PGP, PEM, MOSS, and S/MIME) have
all been reviewed carefully by outside experts, and there is general
consensus that these protocols embody state-of-the-art cryptographic
technology, and that there are no known major security flaws. POTP
stands out on your list because such a review has not been carried
out. In fact, grave doubts have been raised regarding its security,
and (to my taste, anyway) not satisfactorily answered.
I do not wish to raise those points here, nor do I wish to claim
here that POTP is insecure. However, I believe the reputation of your
product is drawn into question by association. Should POTP be
definitively demonstrated to be weak, then it would not be the case
that using your product according to the instructions would provide
"security." Further, I would consider it slightly misleading to
describe it as "mission-critical."
I feel the situation is analogous to that of a hypothetical
networking company claiming that their product delivers high bandwidth
by offering the choice of ATM, Myrinet, 100Mbps Ethernet, or string
and tin cans.
That said, I applaud your multiprotocol approach in general. In
fact, I feel it is the future of Internet security tools. I hope your
product gains widespread acceptance, and helps to further the cause of
deployment of strong crypto.
Raph Levien