1997-11-04 - RE: S/MIME
Header Data
From: Ian Clysdale <iancly@entrust.com>
To: “‘William H. Geiger III’” <whgiii@invweb.net>
Message Hash: b6eb1df935f7dfc439ca85b48f7a3af4a17c7802dead6b7db025b26a560cd0f1
Message ID: <c=CA%a=%p=NorTel_Secure_Ne%l=APOLLO-971104162419Z-34904@mail.entrust.com>
Reply To: _N/A
UTC Datetime: 1997-11-04 17:01:33 UTC
Raw Date: Wed, 5 Nov 1997 01:01:33 +0800
Raw message
From: Ian Clysdale <iancly@entrust.com>
Date: Wed, 5 Nov 1997 01:01:33 +0800
To: "'William H. Geiger III'" <whgiii@invweb.net>
Subject: RE: S/MIME
Message-ID: <c=CA%a=_%p=NorTel_Secure_Ne%l=APOLLO-971104162419Z-34904@mail.entrust.com>
MIME-Version: 1.0
Content-Type: text/plain
There is an old saying in the Security Field: "Poor Security is worse
than
no security at all".
I doubt that you would find few if any that would agree with you that
it
is a good thing having the masses using weak crypto. At least the US
members of the Open-PGP group are willing to sacrifice overseas sales
in
the effort to provide STRONG crypto to EVERYONE. It is the right thing
to
do. I am sorry to see that you do not uderstand this.
Sorry, I'm going to continue to take a viewpoint that I suspect is
rather unpopular in this list, and argue for the advantages of weak
crypto in certain circumstances, when it is KNOWN to be weak. The
phrase "Poor security is worse than no security" refers to the dangers
in assuming that your communications are secure, even when they're
not. If you know that your cryptography is weak, it can still
sometimes be sufficient for your purposes. What weak cryptography does
is protect from passive attacks, such as simple wire-tapping. While
an RC2/40 message can be trivially broken in a matter of hours, it
can't be broken in real-time. If EVERYONE used even RC2/40, then
passive attacks would be foiled, because the <insert evil NSA/CSIS/etc
here> just isn't going to bother breaking every single transmitted
message.
Now, of course, if you're doing something where you don't want your
communications to be intercepted under any circumstances, then you
want to be using something stronger than RC2/40. However, S/MIME
doesn't prevent that at all. DES is a published standard, and I'm
waiting for somebody outside of the USA to implement triple-DES with
S/MIME. This will inter-operate with Outlook and Netscape clients
inside the USA (theoretically).
Including a minimum baseline of weak cryptography is NOT denying
strong cryptography to everyone. Once the patent on RC2 expires
(which is very soon) or if RSA gets dropped on their head and finally
does the intelligent move of releasing it to the public domain, then
S/MIME provides an expandable infrastructure for secure mail, with a
huge user base already out there, and in a form much more spoonable to
the unwashed masses.
Ian
Thread
Return to November 1997
- Return to “Ian Clysdale <iancly@entrust.com>”
- Return to “Jim Gillogly <jim@acm.org>”
Return to ““William H. Geiger III” <whgiii@invweb.net>”
- 1997-11-04 (Wed, 5 Nov 1997 01:01:33 +0800) - RE: S/MIME - Ian Clysdale <iancly@entrust.com>
- 1997-11-04 (Wed, 5 Nov 1997 01:54:56 +0800) - Re: S/MIME - Jim Gillogly <jim@acm.org>
- 1997-11-04 (Wed, 5 Nov 1997 04:29:44 +0800) - RE: S/MIME - “William H. Geiger III” <whgiii@invweb.net>