> Electronic verification is still in its infancy. If you have a sure fire > way of making sure of identity, you're going to be a very rich person. I'm sorry to post a follow-up to techdiver, but I don't think this remark should go unchallenged. Mr. Davnor's comment, to me, implies that people don't know how to implement workable schemes for verifying identity with a reasonably high probability. [**Sure fire** is probably unworkable in any case, given that any system can be compromised, e.g., from within, as intelligence agencies and phone phreaks have repeatedly demonstrated.] If this was, indeed, the intent of Mr. Davnor's remark, then he is simply mistaken. Public key encryption has been around since the mid-1970's, and at least one solid implementation of public key encryption has been in the public domain for the last few years: Phil Zimmerman's PGP. [reference: _PGP: Pretty Good Privacy_, Garfinkel, ISBN 1-56592-098-8, O'Reilly Press--and this book really is readable by a knowledgeable layperson]. Briefly, as other readers of this list have pointed out, you guarantee your e-mail's authenticity by -. creating two "keys" (i.e., numeric passwords); -. publishing one key as a public key; -. getting trusted friends to vouch that the key you publish as a public key really is your key; and -. encrypting part of your e-mail with your private key in a way that makes this encryption dependent upon the integrity of the message as a whole. That encrypted part of your letter is your "digital signature". And if others can't decrypt a digital signature on a note that you send using your public key, then that note simply wasn't encrypted with your private key--or the note was tampered with en route to its destination. Several of my students routinely use digital signatures to guarantee the authenticity of their more important notes. And there is already at least one firm--a European firm other than Microsoft--that sells digital signature technology (that is, besides the firm established by the inventors of RSA). The issue as I see it, unlike Mr. Davnor, is not one of technology, but one of marketing and patent rights. The market, as a whole, isn't quite ready for digital signatures (not enough bad experiences with forged notes, and encryption does take a little time to do .... just how much is another issue not worth beating on in techdiver). Furthermore, the original public key encryption algorithm was patented through the late 1990's, I believe. Expect to see technology marketing firms like Microsoft jump into digital signatures once the patent on the original RSA algorithm goes public. Interestingly enough, as Manuel Blum (of Berkeley, or of USC, I think?) pointed out at a talk in April at Yale's annual comp sci symposium, **any** reasonably complicated problem (e.g., graph isomorphism) could be used in place of factoring prime numbers--the public key algorithm's approach to guaranteeing security. > But, nothing still beats the telephone call to the certifying agency if you > are in doubt. A log book entry by a instructor is prove enough, with the > call. Here we agree. As long as you're not paranoid about tampering with the phone system. > Maybe the answer is electronic verification by secure e-mail link (direct > dial to certification agency). Or by marketing PGP (or the like) to the masses. But this is not a technological problem. ====== By the way, on the subject of spoofing e-mail: yes, any idiot with enough training can do it. Many do: witness postings to this group. My students have done it on occasion, and I've heard that there are CD-Roms that will instruct you in the art. However, the spoofing of e-mail, to me, seems about as ethical as spreading false rumors, forging checks, or other forms of not-so-petty dishonesty. And since integrity is an important element of credibility, and since I teach for a living, I have not made a point of learning how to forge. Just one other thought. E-mail is such an eminently crackable protocol because it, like other TCP/IP tools, were invented in a day when people where primarily concerned with using computers to do work, and not with playing electronic CYA [a relatively recent concern, given the explosion and commercialization of the Internet.] It should not suprise--or frankly impress--anyone on this list, therefore, that forging is possible... just, perhaps, as it should not suprise anyone that the old conventions for filling tanks with gas--which were invented in an era before Nitrox became common and people started to fill tanks with any gas they damn well please to use--are apparently about to become much less workable. -- Phil ===== Phil Pfeiffer, Computer Sci. Dept. | Kindness in thought leads to wisdom. East Stroudsburg University, | Kindness in speech leads to eloquence. East Stroudsburg, Pa. 18301-2999 | Kindness in action leads to love. phil@es*.ed* (717) 422-3820 | -- Lao-Tsu
Navigate by Author:
[Previous]
[Next]
[Author Search Index]
Navigate by Subject:
[Previous]
[Next]
[Subject Search Index]
[Send Reply] [Send Message with New Topic]
[Search Selection] [Mailing List Home] [Home]