"a system where knowing someone's email address.....gives access to their public key and thus enables encrypted messages to be sent to that person"

surely you kind of need to know there email address simply to send them the mail whatever the encryption ;) quite possibly a bad example :)

A key is a key, no matter whether its a key or some other sort of key. It is still only a key.

Once again, America has abused the patent system by allowing somebody to patent what is patently obvious.

I love it! Ths must be the next thing after Elliptic Curve Cryptography, right? Is it what the London Olympic Committee is using for their new logo?

Doe this mean that no one can use Pair( a • X, b • Y ) = Pair( b • X, a • Y ) in an encryption device without violating Voltages' patent.

First,

A comment to Matt.

The idea is that you don't need to know their public encryption keys, but just their e-mail address so that you can get the encryption keys from Voltage.

They can't patent the ECC, but they can patent the concept of using a known identifying element to query a 'public' site to get the keys as a form of key management.

Obvious maybe. Prior Art? Again maybe.

ECC uses a lot of computer cycles. Of course, with the horsepower available these days, that may not be an issue.

OTOH, someone storing my private key is a disaster waiting to happen. To say nothing of the NSA.

... they get a subpoena to give up someone's private key?

That's assuming anyone would be so stupid as to store it on a web server in the first place.

Hmm, let me see, they use a key to access some data stored in a database.

Just because the key is an email address is surely irrelevant, isnt it ? Or is this the reason I am not a patent lawyer ?

This is just getting too weird.

I knew this was the wrong day to give up LSD

"but Voltage reckons the advantage of not requiring the recipient to sign up first will drive greater use of encrypted communications and as long as you trust Voltage then there's no problem."

So what happens when the Voltage server is broken into by cyber-crooks or some kiddie (refer to the security person's adage: "the only completely secure system is one disconnected and buried in concrete")? Does Voltage have to suddenly generate new keys for everyone and inform their entire clientèle that they've been breached?

These guys aren't very keen on security methods, so why should we trust them with crypto (one of the first lines of defense)?

Er, am I missing something - the recipient obtains the private key from the repository? How does the repository now that it's the legit recipient asking for it? Because they've pre-registered and been given an authentication credential? And how did they prove that they really were the owner of the identity? Etc, etc.

Are keys static or do they change with every message or are they actually formed from sender/recipient id pairs? If the former, whoppee, I persuade the originator to send me an encrypted message, a simple bit of social engineering, I then get the private key and read all other messages they sent and I've got my hands on. Even better if recipents own computer security is a bit flakey, someone else can get at their collection of private keys. There's a whole new entreprenurial opportunity for the criminally inclined here.