[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Announcing Crypto Kong, Release Candidate Two.



    --
Announcing Crypto Kong, Release Candidate Two.

http://www.jim.com/jamesd/Kong

please test.

Crypto Kong, like PGP, provides digital signatures and
communications encryption.

The important difference between it and other products that
provide digital signatures and encryption is that it is not
certificate based.  Instead it is signature based.

This eliminates the steep initial learning and management
curves  of existing products.  The user does not need use and
manage  specialized certificates except for specialized
purposes

Perhaps more importantly, it also eliminates the threat we 
saw in England, the threat of the government giving itself a
monopoly in certificate distribution, potentially creating
the  Number-Of-The-Beast system, where you need a government 
certificate to log on to dirty picture sites, to buy, to 
sell, to put up web pages.

The big complexity and user hostility in existing products is 
creating and managing certificates.

For those who need contracts and certificates, (and with Kong
one almost never needs certificates) Kong handles them in an
easy and natural way.

See the discussion in the web site in the chapters:
     Linking digital IDs with paper documents or physical
     presence
and
     Certificates and contracts 

This aspect of Kong seems to have been insufficiently tested
in the beta tests.

 The key feature of the proposed product is that any
digitally  signed document can be stored in the database, and
itself  performs the functions of a certificate, just as a
normal handwritten  signature does.  The user usually does
not need to check a  document against a certificate to see if
it was signed by the "real"  John Doe.  Instead he normally
checks one document against other  documents stored in the
database that have the same signature. And similarly when he
encrypts a document, he does not need to  use a certificate
to encrypt a message to the one *real* John Doe,  he merely
encrypts a message to the *same* John Doe who signed  the
letter he is replying to.

At present people have to deal with certificate management  
problems regardless of whether they really need certificates. 
For example the most common usage of PGP is to check that two 
signatures that purport to be by the same person are in fact 
by the same person.   Unfortunately you cannot check one  
signature against another directly using PGP or any of the  
other existing products.  Instead you have to check both  
signatures against a public key certificate, even if the  
authentication information in that certificate is irrelevant 
to your purpose, which it usually is, which means that you  
have to download the certificate from somewhere, and the  
person signing it had to upload it somewhere.  As PGP always 
checks a document against the certificate, rather than
against  any other document the user happens to feel is
relevant to the  question, the person signing the document
needs to get his  certificate properly signed by some widely
trusted third party,  which is too much trouble or too
complicated for many people.

The signatures and contracts in Crypto Kong are optionally  
tolerant of email munging

The web pages contain a new web page "Business Vision" which 
discusses the widespread failure to adopt cryptography, the  
widespread reluctance to pay for cryptography, and the  
illiquidity of various products for transferring money on the 
net, and proposes a path to a solution.

Clearly, PGP has had rather poor penetration for business    
uses, and by and large, people only need to encrypt or sign  
stuff when there is money at stake.

I believe that this product will be more acceptable for  the 
typical businessman than PGP is, because it is easier to use, 
and existing business practices translate more  readily to   
the identity model it supports than does the PGP identity    
model.

The web page also contains full source code.

Crypto Kong is written in large part as ActiveX component, 
and the use interface and database management code is written 
in visual basic.

The use of ActiveX should make it easy to quickly code 
products and web page that perform tasks involving 
encryption.



    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     AXOOTHyx0TpTLdyQsBnt7WmaVIo1l4WDGabHKK0Y
     4Bxm/YWIEOTOK6zRVH57lP7PENFT5OFN+IR39Fcx8