 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
John Abreau wrote: > As far as I'm concerned, using S/MIME means handing off control of > who I trust to an unknown mix of government and corporate entities > who have no vested interest in actually protecting my privacy.For the > corporate entities involved, their only vested interest is short-term profit. I'd like to see an option that uses the S/MIME functionality built-in to mail clients with no or minimal modification, while using the PGP-style distributed key mechanism. Mark Woodward wrote: > ...a VERY public key linked to your email address so that you can be > sure that the mail you receive came from the person who's name is on > it. That service has to be free and distributed. It could very well > be a format where we send the public key with the mail, and cache the > public key on your system. So picture a hypothetical scenario in which desktop operating systems come with a certificate management UI. The banks, in the same way they mail you your ATM pin, also mail you a key fingerprint, along with instructions to open your certificate manager and type it in. Thereafter, any web or email contact with that vendor would have the certificate validated against the fingerprint. Even better if you can figure out how to make that fingerprint appear as a readable pass phrase, rather than a string of random hex digits. You'd need to either: 1. repeat the process every couple of years as certificates expire, or 2. fingerprint a subset of the certificate, and improve the revocation infrastructure to mitigate treating compromised keys as valid. Still, even with this, how does a non-technical user distinguish a site or email from a validated source from all the other sources? For example, a phish email from bankofamrica.com (note the typo) that has a CA issued cert, but isn't your bank. I suppose we need highly visible feedback in the web browser and email client indicating a verified cert, which is what they've already done for extended validation certificates. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
