[cryptography] Let's go back to the beginning on this

Ian G iang at iang.org
Tue Sep 13 10:54:42 EDT 2011

On 13/09/2011, at 23:57, Jeffrey Walton <noloader at gmail.com> wrote:

> On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald <jamesd at echeque.com> wrote:
>>    --
>> On 2011-09-11 4:09 PM, Jon Callas wrote:
>>> The bottom line is that there are places that continuity
>>> works well -- phone calls are actually a good one. There
>>> are places it doesn't. The SSL problem that Lucky has
>>> talked about so well is a place where it doesn't. Amazon
>>> can't use continuity. It is both inconvenient and insecure.
>> Most people who login to Amazon have a long existing relationship: Hence key
>> continuity and SRP would work well.
> I can't help but feel that Thomas Wu's SRP (or other PAKEs) would have
> helped the folks in Iran. A process which only requires two parties
> (Google and the individual) had three parties, one of whom failed
> spectacularly.

It's possibly worth remembering that in 1994, PKI assumptions looked better.

There were no natural authorities or TTPs on the net. The closest we got was Netscape, yahoo, network solutions and Postel.

For various reason, nobody saw these players in the way that we now see the players. Now we have search engines, amazon, eBay, Microsoft, apple, competitive registries, wikipedia, cacert, eff, Mozilla,  ... And that's before we get to Facebook and hundreds of social networks.

The map has changed, it's chock full of natural parties of trust.


More information about the cryptography mailing list