[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: S/MIME




There is an old saying in the Security Field: "Poor Security is worse 
than
no security at all".

I doubt that you would find few if any that would agree with you that 
it
is a good thing having the masses using weak crypto. At least the US
members of the Open-PGP group are willing to sacrifice overseas sales 
in
the effort to provide STRONG crypto to EVERYONE. It is the right thing 
to
do. I am sorry to see that you do not uderstand this.

   Sorry, I'm going to continue to take a viewpoint that I suspect is 
rather unpopular in this list, and argue for the advantages of weak 
crypto in certain circumstances, when it is KNOWN to be weak.   The 
phrase "Poor security is worse than no security" refers to the dangers 
in assuming that your communications are secure, even when they're 
not.  If you know that your cryptography is weak, it can still 
sometimes be sufficient for your purposes. What weak cryptography does 
is protect from passive attacks, such as simple wire-tapping.  While 
an RC2/40 message can be trivially broken in a matter of hours, it 
can't be broken in real-time.  If EVERYONE used even RC2/40, then 
passive attacks would be foiled, because the <insert evil NSA/CSIS/etc 
here> just isn't going to bother breaking every single transmitted 
message.
   Now, of course, if you're doing something where you don't want your 
communications to be intercepted under any circumstances, then you 
want to be using something stronger than RC2/40.  However, S/MIME 
doesn't prevent that at all.  DES is a published standard, and I'm 
waiting for somebody outside of the USA to implement triple-DES with 
S/MIME.  This will inter-operate with Outlook and Netscape clients 
inside the USA (theoretically).
   Including a minimum baseline of weak cryptography is NOT denying 
strong cryptography to everyone.  Once the patent on RC2 expires 
(which is very soon) or if RSA gets dropped on their head and finally 
does the intelligent move of releasing it to the public domain, then 
S/MIME provides an expandable infrastructure for secure mail, with a 
huge user base already out there, and in a form much more spoonable to 
the unwashed masses.

						Ian