[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tmda: Challenge-response is fundamentally broken (RAPNAP)

on Fri, Sep 05, 2003 at 03:56:16PM -0500, david nicol (davidnicol@pay2send.com) wrote:
> On Fri, 2003-09-05 at 00:16, Russell Coker wrote:
> > On Thu, 4 Sep 2003 18:32, david nicol wrote:

> > For challenge response to work it has to be annoying to lots of people.  
> > Anything that stops it being annoying will stop it working.  That's why
> > it is broken.
> Challenge-response, BY ITSELF ONLY, suffers from that problem. When
> combined with other methods, CR is useful, and is _less annoying_
> then alternatives, such as requiring all correspondents to install PGP
> for instance.

C-R works on the basis that outsourcing trust and authentication
burdents to an entity who is by definition untrusted and
unauthenticated, and very likely shouldn't have been bothered in the
first place, is preferable to drawing your own conclusions about mail,
or using tools which _today_ are shown to _work_ with _high_ _degrees_
of efficacy.

Nobody's requiring everyone to install GPG, or even PGP.  However those
who do so (or utilize other standards-based methods of assuring identity 
and content) will find that their communications needs are met more
expeditiously than those who don't.  It's carrot, not stick.


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Defeat EU Software Patents!                         http://swpat.ffii.org/

Attachment: pgp2MYMIAPNHM.pgp
Description: PGP signature

Reply to: