[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on I-D requirement document

At 11:39 AM 4/7/97 -0400, Carl Ellison wrote:
>>"The same information can be delivered in a positive statement: a
>>   periodic revalidation of a certificate or a key. "
>One engineering solution might be to prefix each message with any revocation 
>message, but even then the recall goes out like pond ripples, not 
>*immediately*.  If there are communications lines under the active control 
>of some enemy, then the recall message might never get to some unit.  

This brings up a related problem - even if you do online verification
of keying material, if you use that information to generate an
encrypted email message, which is delivered by a store-and-forward system,
you can't be sure that the keys will be uncompromised between the time
that you send the message and the time it's actually read (including
queuing on the way to the destination postoffice and queuing in the 
user's mailbox waiting to be picked up or read.)

I'm writing this on the train, and it won't get mailed out until I get home. 
If I had one of those Metricom radio modems, it would still have to wait at 
least until I reach the next station :-)  Online delivery helps a bit, 
but the message still needs to be read, whether by a human or a bot.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)