From: jamesd@echeque.com (James A. Donald)
To: cypherpunks@toad.com
Message Hash: a141b42be2a1954c5d87512a0cff7259b2e94f8ac7f7e1f55efbdcd76ff8fee8
Message ID: <199801080543.VAA21873@proxy3.ba.best.com>
Reply To: N/A
UTC Datetime: 1998-01-08 05:57:59 UTC
Raw Date: Thu, 8 Jan 1998 13:57:59 +0800
From: jamesd@echeque.com (James A. Donald)
Date: Thu, 8 Jan 1998 13:57:59 +0800
To: cypherpunks@toad.com
Subject: Announcing Crypto Kong, Release Candidate Two.
Message-ID: <199801080543.VAA21873@proxy3.ba.best.com>
MIME-Version: 1.0
Content-Type: text/plain
--
Announcing Crypto Kong, Release Candidate Two.
http://www.jim.com/jamesd/Kong
please test.
Crypto Kong, like PGP, provides digital signatures and
communications encryption.
The important difference between it and other products that
provide digital signatures and encryption is that it is not
certificate based. Instead it is signature based.
This eliminates the steep initial learning and management
curves of existing products. The user does not need use and
manage specialized certificates except for specialized
purposes
Perhaps more importantly, it also eliminates the threat we
saw in England, the threat of the government giving itself a
monopoly in certificate distribution, potentially creating
the Number-Of-The-Beast system, where you need a government
certificate to log on to dirty picture sites, to buy, to
sell, to put up web pages.
The big complexity and user hostility in existing products is
creating and managing certificates.
For those who need contracts and certificates, (and with Kong
one almost never needs certificates) Kong handles them in an
easy and natural way.
See the discussion in the web site in the chapters:
Linking digital IDs with paper documents or physical
presence
and
Certificates and contracts
This aspect of Kong seems to have been insufficiently tested
in the beta tests.
The key feature of the proposed product is that any
digitally signed document can be stored in the database, and
itself performs the functions of a certificate, just as a
normal handwritten signature does. The user usually does
not need to check a document against a certificate to see if
it was signed by the "real" John Doe. Instead he normally
checks one document against other documents stored in the
database that have the same signature. And similarly when he
encrypts a document, he does not need to use a certificate
to encrypt a message to the one *real* John Doe, he merely
encrypts a message to the *same* John Doe who signed the
letter he is replying to.
At present people have to deal with certificate management
problems regardless of whether they really need certificates.
For example the most common usage of PGP is to check that two
signatures that purport to be by the same person are in fact
by the same person. Unfortunately you cannot check one
signature against another directly using PGP or any of the
other existing products. Instead you have to check both
signatures against a public key certificate, even if the
authentication information in that certificate is irrelevant
to your purpose, which it usually is, which means that you
have to download the certificate from somewhere, and the
person signing it had to upload it somewhere. As PGP always
checks a document against the certificate, rather than
against any other document the user happens to feel is
relevant to the question, the person signing the document
needs to get his certificate properly signed by some widely
trusted third party, which is too much trouble or too
complicated for many people.
The signatures and contracts in Crypto Kong are optionally
tolerant of email munging
The web pages contain a new web page "Business Vision" which
discusses the widespread failure to adopt cryptography, the
widespread reluctance to pay for cryptography, and the
illiquidity of various products for transferring money on the
net, and proposes a path to a solution.
Clearly, PGP has had rather poor penetration for business
uses, and by and large, people only need to encrypt or sign
stuff when there is money at stake.
I believe that this product will be more acceptable for the
typical businessman than PGP is, because it is easier to use,
and existing business practices translate more readily to
the identity model it supports than does the PGP identity
model.
The web page also contains full source code.
Crypto Kong is written in large part as ActiveX component,
and the use interface and database management code is written
in visual basic.
The use of ActiveX should make it easy to quickly code
products and web page that perform tasks involving
encryption.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
AXOOTHyx0TpTLdyQsBnt7WmaVIo1l4WDGabHKK0Y
4Bxm/YWIEOTOK6zRVH57lP7PENFT5OFN+IR39Fcx8
Return to January 1998
Return to “jamesd@echeque.com (James A. Donald)”
1998-01-08 (Thu, 8 Jan 1998 13:57:59 +0800) - Announcing Crypto Kong, Release Candidate Two. - jamesd@echeque.com (James A. Donald)