Public Keys and the Web Page.
Pete Chown
Pete.Chown at skygate.co.uk
Mon, 21 Jun 1999 11:44:01 +0100
George Foot wrote:
> (a) It is a delusion that a Private Key can be securely held
> for a long period, perhaps years, under busy commercial
> conditions in the face of carelessness and malice within the
> company and subtle intrusion from without.
If you keep the key in a tamper resistant hardware unit you are probably
a bit better off. At least then either the key is safe or the hardware
device has disappeared. You can't have the situation where the key has
been copied without your knowledge. (Of course you can still have the
situation where a single message has been signed without your
knowledge.)
I think the idea of distributing *signed* keys from a website is a good
one. But for unsigned keys there are just too many unknowns. If you
end up using a false key, you will never know who was responsible. At
least if a CA signed the false key you know that they are responsible.
-----------------------------------------------------------------------
Pete Chown, email pc@skygate.co.uk, phone +44 (0) 181 680 8393,
fax +44 (0) 181 688 8013, mobile +44 (0) 468 765 645,
post 58 Foss Avenue, Croydon, CR0 4EU, England