From: “James A. Donald” <jamesd@echeque.com>
To: cryptography@c2.net
Message Hash: 49d76edb61dd500b7f0d873b60841d76745eb66a307885c905707b821f3d1d30
Message ID: <199712050100.RAA04735@proxy4.ba.best.com>
Reply To: N/A
UTC Datetime: 1997-12-05 01:12:33 UTC
Raw Date: Fri, 5 Dec 1997 09:12:33 +0800
From: "James A. Donald" <jamesd@echeque.com>
Date: Fri, 5 Dec 1997 09:12:33 +0800
To: cryptography@c2.net
Subject: Please Beta test my communications cryptography product.
Message-ID: <199712050100.RAA04735@proxy4.ba.best.com>
MIME-Version: 1.0
Content-Type: text/plain
--
I have produced a program that, like PGP, provides digital
signatures and communications encryption.
http://www.jim.com/jamesd/Kong/Kong.htm
This is the first beta. Please beta test this product.
The important difference between it and other products
that provide digital signatures and encryption is that it
is not certificate based. Instead it is signature based.
This eliminates the steep initial learning and management curves
of existing products. The user does not need use and manage
specialized certificates except for specialized purposes
The big complexity and user hostility in existing products is
creating and managing certificates.
Perhaps more importantly, it also eliminates the threat we
saw in England, the threat of the government giving itself
a monopoly in certificate distribution, potentially creating the
Number-Of-The-Beast system, where you need a government
certificate to log on to dirty picture sites, to buy, to
sell, to put up web pages.
The key feature of the proposed product is that any digitally
signed document can be stored in the database, and itself
performs the functions of a certificate, just as a normal handwritten
signature does. The user usually does not need to check a
document against a certificate to see if it was signed by the "real"
John Doe. Instead he normally checks one document against
another to see if they were both signed by the same John Doe.
And similarly when he encrypts a document, he does not need to
use a certificate to encrypt a message to the one real John Doe,
he merely encrypts a message to the same John Doe who signed
the letter he is replying to.
At present people have to deal with certificate management
problems regardless of whether they really need certificates.
For example the most common usage of PGP is to check that two
signatures that purport to be by the same person are in fact
by the same person. Unfortunately you cannot check one
signature against another directly using PGP or any of the
other existing products. Instead you have to check both
signatures against a public key certificate, even if the
authentication information in that certificate is irrelevant
to your purpose, which it usually is, which means that you
have to download the certificate from somewhere, and the
person signing it had to upload it somewhere. As PGP always
checks a document against the certificate, rather than against
any other document the user happens to feel is relevant to the
question, the person signing the document needs to get his
certificate properly signed by some widely trusted third party,
which is too much trouble or too complicated for many people.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
z8/j/L3kF7oCmOp/iF2oh/pwgP/mATjOTUdv1uGy
DlPh9Op11Z1CtFuByebVsk8yJo4WuUMuFk4S/TMp
---------------------------------------------------------------------
We have the right to defend ourselves and our property, because of
the kind of animals that we are. True law derives from this right,
not from the arbitrary power of the state.
http://www.jim.com/jamesd/
Return to December 1997
Return to “Rick Smith <smith@securecomputing.com>”