1995-12-10 - Re: More FUD from First Virtual
Header Data
From: Adam Shostack <adam@homeport.org>
To: khijol!netcom.com!ecarp@homeport.org
Message Hash: 0c219c024731e759203e3b40640fe4840d88d49092a989240792e97fcd04f58b
Message ID: <199512101808.NAA06132@homeport.org>
Reply To: <199512101114.FAA26720@khijol>
UTC Datetime: 1995-12-10 18:05:22 UTC
Raw Date: Sun, 10 Dec 95 10:05:22 PST
Raw message
From: Adam Shostack <adam@homeport.org>
Date: Sun, 10 Dec 95 10:05:22 PST
To: khijol!netcom.com!ecarp@homeport.org
Subject: Re: More FUD from First Virtual
In-Reply-To: <199512101114.FAA26720@khijol>
Message-ID: <199512101808.NAA06132@homeport.org>
MIME-Version: 1.0
Content-Type: text
Ed Carp wrote:
| Adam Shostack <adam@homeport.org>
| > jim bell wrote:
| >
| > [Good points about cost of transactions deleted]
| >
| > | The answer, I think, it that there would be no problem finding people to
| > | take that risk in exchange for the return, ESPECIALLY if they have some
| > | input into the design (level of security) of the system. They might insist
| > | on 2048-bit RSA keys, instead of 1024-bit, for example.
| >
| > (I know its only an example, but...)
| >
| > Key length is not what is needed for better security; more
| > solid code and better interfaces are needed. (I might also argue for
| > hardware keys that are more difficult to steal..)
|
| Nonsense. The code is pretty solid, the interfaces aren't very
| difficult. What is needed is better human management of keys. Why
| brute-force, why look for weak keys, why bother calculating how much
| safer 2047-bit keys are rather than 1024-bit keys when someone can
| look on your HD and find your secret key, when they can open your
| desk drawer and find your pass phrase or password, when they can
| guess that you used your wife's maiden name as your password?
|
| Adam, I don't understand why you wrote nonsense in the first
| paragraph, then followed it up with textbook attacks such as:
I use PGP becuase its pretty good, but if I was going to trust
all my money to it, I'd want better code (especially in key
management. And the Mac port needs a few man months of work. ;) I
don't know how solid the code is in the ecash client. I do know that
Netscape & Microsoft can't seem to ship decent code. (This is a
reflection of the way the industry has evolved; the first system to
require a bigger processor due to creeping featuritis gets the most
market share. Quality of code seems to be unimportant.) No flame at
Netscape here; they're doing what the market, conditioned by MS to
never expect bug free code, seems to want.
Further, the interfaces are not decent. Ever tried teaching
your mother to use PGP? I have a lot of smart freinds; a lot of them,
while understanding how easy it is to read mail in transit, haven't
found a PGP front end thats easy enough to use that they will use it.
(This is not an invitation to send me your favorite GUI to PGP
(although if anyone has a web page of all/most of them, with reviews &
comments and maybe even screen shots, I'd like the URL.)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Thread
Return to December 1995
- Return to “Adam Shostack <adam@homeport.org>”
Return to ““Ed Carp” <ecarp@netcom.com>”
- 1995-12-10 (Sun, 10 Dec 95 02:12:00 PST) - Re: More FUD from First Virtual - “Ed Carp” <ecarp@netcom.com>
- 1995-12-10 (Sun, 10 Dec 95 10:05:22 PST) - Re: More FUD from First Virtual - Adam Shostack <adam@homeport.org>