L. Sassaman Sent: Saturday, July 01, 2000 2:58 AM
On Fri, 30 Jun 2000, Michael Helm wrote:
"L. Sassaman" writes:
X.509 is a much older and cruftier standard. PGP is
I think is up to customers to decide.
I think customers *have* decided. Where is PEM now?
PEM is being used on every ecommerce site site now, to implement SSL. Where have you been? Show me a site being secured with PGP, please. These same certs can, and are, used to protect email content, it's called S/MIME. Please show where this doesn't work. There is a working PKI for X.509 that operates at commercial production levels. Further, third-party online auth, via TLS, is also built into the system (PGP doesn't do that). It works and lives now. As far as customer acceptance goes, they don't want to deal with two dfferent encryption systems when one will do the job. They already are used to SSL via their ecommerce activity. Getting the same type of encryption for their email reduces their pain. Ergo, your statement doesn't float. Please provide evidence to the contrary. You should know that I've been trying to get PGP accepted for years. I've given up. That dog won't hunt. Customers couldn't grasp the difference between client-side SSL certs (SecureWebMail [TM MHSC]) and PGP, for the exact same email over POP3. Everyone of them demanded to be able to use the same cert for both. 2000 users out of 3500 all said the same thing here. This is from our SecureWebMail beta, last year. This gets even worse when doing SSL/POP3. Using a different cert (X.509) for the SSL auth and encrypting the content (PGP) is both useless and stupid. It also makes key management unbelieveably complex. Since I can't get PGP to work with SSL and I CAN get X.509 to encrypt message content, guess which drops out the door. In case you haven't figured it out yet, it's an integration issue, not strictly a technnical one.