> it will use 64 bit which will be what would need to be compromised
> by interlopers;
> however, 24 bits will be bound to 40 bits... the 24 bits are
> encrypted with a Government public key, effectively leaving the
> key length not know to the government remains at 40 bit.
I *assume* this is Lotus Notes v4 that is being referred to. The basic
problem would be the security of the government key used on every
document.
At first glance, this says that is the gov key is lost, there is still
a 40 bit key for protection. IMNSHO this is not enough to stop a
determined attacker for more than three hours. Since no-one would know who
had the gov key (or will each user have their own gov key ?) essentially
you would have only a 40 bit key you could trust.
My feeling is that too many people do not trust the government to keep
such a secret and specifically they do not trust the gov to tell them if
the key is lost/disclosed. As a result the only effective anwer I can see
is for major corporations to escrow their own keys, and a multitude of
licensed agents to escrow keys for clients. If the gov requires a key,
it is provided *but an independant third party must know about it*.
In short, the trust in the key becomes trust in that part which is controlled
by you or controlled by some third party that is trusted. I am afraid that
many people do not trust governmental agencies to that extent. Without trust
you have a 40 bit key that has been complicated with smoke and mirrors but
is still a 40 kit key.
Of course should AmEx/Visa/MasterCard say that loss will be limited to $50 (the
same as a stolen card) if numbers/information are transmitted this way, then
what I think will really not matter.
What I would like to know is if they fixed the hidden @mailsend forgery
problem in Notes.
Warmly,
Padgett
|
|
