[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More FUD from First Virtual

To: [email protected]
Subject: Re: More FUD from First Virtual
From: Adam Shostack <[email protected]>
Date: Sun, 10 Dec 1995 13:08:29 -0500 (EST)
Cc: [email protected] (Cypherpunks Mailing List)
In-Reply-To: <199512101114.FAA26720@khijol> from "Ed Carp" at Dec 10, 95 04:03:21 am
Sender: [email protected]

Ed Carp wrote:

| Adam Shostack <[email protected]>
| > jim bell wrote:
| > 
| > [Good points about cost of transactions deleted]
| > 
| > | The answer, I think, it that there would be no problem finding people to
| > | take that risk in exchange for the return, ESPECIALLY if they have some
| > | input into the design (level of security) of the system.  They might insist
| > | on 2048-bit RSA keys, instead of 1024-bit, for example.
| > 
| > 	(I know its only an example, but...)
| > 
| > 	Key length is not what is needed for better security; more
| > solid code and better interfaces are needed.  (I might also argue for
| > hardware keys that are more difficult to steal..)
| 
| Nonsense.  The code is pretty solid, the interfaces aren't very 
| difficult.  What is needed is better human management of keys.  Why 
| brute-force, why look for weak keys, why bother calculating how much 
| safer 2047-bit keys are rather than 1024-bit keys when someone can 
| look on your HD and find your secret key, when they can open your 
| desk drawer and find your pass phrase or password, when they can 
| guess that you used your wife's maiden name as your password?
|
| Adam, I don't understand why you wrote nonsense in the first 
| paragraph, then followed it up with textbook attacks such as:

	I use PGP becuase its pretty good, but if I was going to trust
all my money to it, I'd want better code (especially in key
management.  And the Mac port needs a few man months of work. ;) I
don't know how solid the code is in the ecash client.  I do know that
Netscape & Microsoft can't seem to ship decent code.   (This is a
reflection of the way the industry has evolved; the first system to
require a bigger processor due to creeping featuritis gets the most
market share.   Quality of code seems to be unimportant.)  No flame at
Netscape here; they're doing what the market, conditioned by MS to
never expect bug free code, seems to want.

	Further, the interfaces are not decent.  Ever tried teaching
your mother to use PGP?  I have a lot of smart freinds; a lot of them,
while understanding how easy it is to read mail in transit, haven't
found a PGP front end thats easy enough to use that they will use it.
(This is not an invitation to send me your favorite GUI to PGP
(although if anyone has a web page of all/most of them, with reviews &
comments and maybe even screen shots, I'd like the URL.)

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

References:
- Re: More FUD from First Virtual
  - From: "Ed Carp" <[email protected]>

Prev by Date: NSA rigs Crypto machines according to Balto Sun
Next by Date: Re: The Elevator Problem
Prev by thread: Re: More FUD from First Virtual
Next by thread: Re: More FUD from First Virtual
Index(es):
- Date
- Thread