ZeroClick, poor encryption tools for NHS?
Ian BROWN
I.Brown at cs.ucl.ac.uk
Thu, 22 Feb 2001 12:48:34 +0000
There seems to be three concerns here:
(1) ZeroClick does not use the web of trust
(2) It does not protect stored messages
(3) It does not use passphrases
There are three simple responses:
(1) It does not do key management pretty much full stop; as with PGP, that is
largely left to the user with the PGPKeys program
(2) Use storage encryption like PGPdisk. It's a bad idea to mix up storage and
communications security for many reasons. A particularly relevant one on this
list is RIP: it means you can't use short-lifetime keys. See http://www.acsac.org/2000/papers/47.pdf
(3) I believe it can: just as with PGP, private keys are stored encrypted;
ZeroClick then asks for the relevant passphrase as necessary. As with PGP, it
can cache this passphrase within a session.