Comment Centralised Infrastructure (Score 1) 345
From the article:
"CCD servers are part of a central infrastructure operated by Ciphire Labs."
The end-user advantage to this system seems not to be transparent encryption - a relatively simple hack one may apply to this or that MTA - but to the automagic sharing of keys and transparent negotiation. Entrusting these keys to a centralised architecture seems contrary to any `secure' as we lose the benefits of community audit and so on. Furthermore, since Ciphire is a corporation in Germany (it seems from their Disclaimer page) all servers become a single point of failure both technically and politically.
Creating a client-client system of key negotiation seems like a better investment of time: creating a system that automatically queries other clients for their identifiers, not a central medium. Although there is still no sure guarantee that keys are reliable the key source's identity may be reasonably verified - more so, at least, than a server that operates at the whims of its administrators. Developers of PKI (a now-marketspeak term) could learn a thing or two from the No-Trust mantra of anonymous net developers - from Tor to Mute, Chaum mixes, P5, tree hashes and so on (not to mention the poor venerable, FreeNet).
"CCD servers are part of a central infrastructure operated by Ciphire Labs."
The end-user advantage to this system seems not to be transparent encryption - a relatively simple hack one may apply to this or that MTA - but to the automagic sharing of keys and transparent negotiation. Entrusting these keys to a centralised architecture seems contrary to any `secure' as we lose the benefits of community audit and so on. Furthermore, since Ciphire is a corporation in Germany (it seems from their Disclaimer page) all servers become a single point of failure both technically and politically.
Creating a client-client system of key negotiation seems like a better investment of time: creating a system that automatically queries other clients for their identifiers, not a central medium. Although there is still no sure guarantee that keys are reliable the key source's identity may be reasonably verified - more so, at least, than a server that operates at the whims of its administrators. Developers of PKI (a now-marketspeak term) could learn a thing or two from the No-Trust mantra of anonymous net developers - from Tor to Mute, Chaum mixes, P5, tree hashes and so on (not to mention the poor venerable, FreeNet).
