[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: making public keys public

To: [email protected]
Subject: Re: making public keys public
From: "L. McCarthy" <[email protected]>
Date: Mon, 5 Dec 1994 05:51:42 -0500
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----

- -----BEGIN PGP SIGNED MESSAGE-----

Eric Hughes writes:
> >  If you're not going to make the public key public, why use public key
> >  cryptography at all ?  Save time and effort and use a symmetric cipher.
> 
> You can't do authentication with a shared secret key, because there's
> nothing to differentiate the two sides of the link.

Is it really important to distinguish the two sides ?  The additional threat
is that an attacker could spoof my correspondent to me, once she's grabbed my
secret key. But a) I thought we were assuming that other people being spoofed
is _their_ problem, not ours, and b) if she's nabbed my key, odds are she's
hacked my account anyway, leaving me with much larger problems.

> In addition, a closely held public key might be held by 10 people;

Hmm, `closely-held' suggests that the `public' key is being passed around
as a secret over some channels, in which case it might as well be
a secret key being passed around over those channels to the 10 people.

> with secret keys there are 90 different private keys instances to
> manage.

Wouldn't there only be 45 ?  I agree that this is quite a few, but it's a
reasonable tradeoff between disk space and processing speed unless you're
communicating with a large number of people.

- - -L. Futplex McCarthy; PGP key by finger or server  "We've got computers, 
we're tapping phone lines; I know that that ain't allowed" --Talking Heads

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBLuLvdWf7YYibNzjpAQG0GQP9FIJkCLF4XbZEoydrVfCnHg32FGL5EQ1A
2286GqvVQuy6hwtqV888TOZmLkQpMjrmq+paTQpozu5s8L4z/L9WZbbyk0C/alMv
faTwpUe1neSStR3KbrxK0BuP70OBKBbdZZfHI/t4Kn8jTimeBA/IG2Iou/8gecX2
g8d0otexmwI=
=FtUZ
- -----END PGP SIGNATURE-----
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBLuLwpyoZzwIn1bdtAQFUfgGAsdDHynQfWLxX+cmCz9vxkzwQ0sIikuVG
XCp0rwhl/C1P1HXBF2Xk135HXa7RO6kC
=OnyQ
-----END PGP SIGNATURE-----

Prev by Date: Re: public accounts / PGP / passphrases
Next by Date: Re: future entrapment
Prev by thread: Re: making public keys public
Next by thread: autodecrypting incoming mail
Index(es):
- Date
- Thread