1997-11-04 - RE: S/MIME

Header Data

From: “William H. Geiger III” <whgiii@invweb.net>
To: Ian Clysdale <iancly@entrust.com>
Message Hash: f2802f2b3ebf26f1c0f752bc7188eb4961dae9422901efcad83583bcbf3b873a
Message ID: <199711042002.PAA28874@users.invweb.net>
Reply To: <c=CA%a=_%p=NorTel_Secure_Ne%l=APOLLO-971104162419Z-34904@mail.entrust.com>
UTC Datetime: 1997-11-04 20:29:44 UTC
Raw Date: Wed, 5 Nov 1997 04:29:44 +0800

Raw message

From: "William H. Geiger III" <whgiii@invweb.net>
Date: Wed, 5 Nov 1997 04:29:44 +0800
To: Ian Clysdale <iancly@entrust.com>
Subject: RE: S/MIME
In-Reply-To: <c=CA%a=_%p=NorTel_Secure_Ne%l=APOLLO-971104162419Z-34904@mail.entrust.com>
Message-ID: <199711042002.PAA28874@users.invweb.net>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

>>There is an old saying in the Security Field: "Poor Security is worse 
>>than no security at all".

>>I doubt that you would find few if any that would agree with you that  it
>>is a good thing having the masses using weak crypto. At least the US
>>members of the Open-PGP group are willing to sacrifice overseas sales  in
>>the effort to provide STRONG crypto to EVERYONE. It is the right thing 
>>to do. I am sorry to see that you do not uderstand this.

In
<c=CA%a=_%p=NorTel_Secure_Ne%l=APOLLO-971104162419Z-34904@mail.entrust.com>,
on 11/04/97 
   at 11:24 AM, Ian Clysdale <iancly@entrust.com> said:


>   Sorry, I'm going to continue to take a viewpoint that I suspect is 
>rather unpopular in this list, and argue for the advantages of weak 
>crypto in certain circumstances, when it is KNOWN to be weak.   The 
>phrase "Poor security is worse than no security" refers to the dangers 
>in assuming that your communications are secure, even when they're  not. 
>If you know that your cryptography is weak, it can still  sometimes be
>sufficient for your purposes. What weak cryptography does  is protect
>from passive attacks, such as simple wire-tapping.  While  an RC2/40
>message can be trivially broken in a matter of hours, it  can't be broken
>in real-time.  If EVERYONE used even RC2/40, then  passive attacks would
>be foiled, because the <insert evil NSA/CSIS/etc  here> just isn't going
>to bother breaking every single transmitted  message.
>   Now, of course, if you're doing something where you don't want your 
>communications to be intercepted under any circumstances, then you  want
>to be using something stronger than RC2/40.  However, S/MIME  doesn't
>prevent that at all.  DES is a published standard, and I'm  waiting for
>somebody outside of the USA to implement triple-DES with  S/MIME.  This
>will inter-operate with Outlook and Netscape clients  inside the USA
>(theoretically).
>   Including a minimum baseline of weak cryptography is NOT denying 
>strong cryptography to everyone.  Once the patent on RC2 expires  (which
>is very soon) or if RSA gets dropped on their head and finally  does the
>intelligent move of releasing it to the public domain, then  S/MIME
>provides an expandable infrastructure for secure mail, with a  huge user
>base already out there, and in a form much more spoonable to  the
>unwashed masses.

This is nothing but selfserving bullshit in a vain effort to justify YOUR
sellout for a paycheck.


Your product will use WEAK RC2/40 DOMESTICALLY as long as it is
communicating with someone useing these weak keys. How does your program
warn the user that the crypto being used is unacceptable?? Does it warn
them at all?? Does it refuse to use the WEAK crypto?? I know I get no
warning from NS if weak keys are being used, just the happy key to tell me
everything is ok. Do you see this as a GoodThing(TM)?? WEAK crypto is WEAK
crypto and should not be tolerated in any way shape or form. 

Having a minimum baseline of weak crypto is not a GoodThing(TM) it is a
BadThing(TM). If the people at Entrust can't figure that out then I have
serious question as to the security and quality of your product regardless
of the algorthims being used!!

PS: Please learn how to set up your mailer so that it quotes properly.
<sigh> one would think that someone in this business could grasp such
basic concepts.


- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.amaranth.com/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html                        
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNF9+wI9Co1n+aLhhAQFFmQQAwCkTiFRFkwzAKiN6fticBSDWLFBktCA/
Wmkr627F3MkTYEmESrtXdlFAB44rvuDsK65VT1SHvvpFzzhDxL3l/ZB3Jl8toWQs
HAhL908zFT+h6/TnKDcvW70kHIILrpYa/cdJNsruN6s2+gf5OqkMkd1rUsO8FfE3
s6DileG6eSk=
=2Rif
-----END PGP SIGNATURE-----






Thread