From: L. Sassaman [mailto:rabbi@quickie.net] Sent: Friday, June 30, 2000 12:49 PM
On Fri, 30 Jun 2000 Valdis.Kletnieks@vt.edu wrote:
X.509 is definately better suited for certain situations, especially where certificate chaining is required. I cannot, however, envision that the X.509/-slash-S/MIME standards will ever become more popular for email usage. They are just too anti-user.
I hope you don't mind if I disagree. The way Outlook 2K works with certs and other SSL items is almost painless. Note that this message is generated with Outlook. To consider Outlook anti-user (different from anti-consumer) is indeed myopic. ALso, Yes, EudoraPro is the superior MUA and it doesn't do X.509 easily, however it also doesn't do calendar, tasks, and other workgroup stuff, which is the reason that I reluctantly switched from there. Corporate America does Outlook, Lotus Domino, or some other WG aware package. Those that do not are out-of-the-loop. I will concede the issue of making other mailers S/MIME capable may be a PITA. But I conceded that point at the start. The bottom-line is that every eCommerce site must have these certs to do SSL. This drives the build-out of the X.509 PKI. PGP has no such incentive. Also, I must use different keys for client-side web-certs than for client email. .. NOT gonna happen for long. If you take the above two points significantly (and you don't have to), they spell out a strong favor to X.509. Yes, this is not a technical argument. However, I still think it is valid. The world is headed towards X.509 for reasons having nothing to do with technical merits, other than that it works sufficiently well. That point may be arguable, but what is not arguable is that X.509 certs are not going away anytime soon. They are just too useful and all SSL sites are dependent on them. My question is, why have two disparate systems? Further, why re-invent the PKI wheel? Much of what you say WRT OpenCA, is easily countered. Besides, there are commercial CAs available already. Or is it that you are trying to say that PGP PKI is as developed as SSL PKI? Is is only a "Simple Matter of Programming?" I don't think that states the issues well at all. BTW, as I said earlier, it is NOT a matter of right/wrong. It is a relative value issue. Both are right, both work sufficiently, PGP PKI would take more development work. Why do you have to make this a bi-polar situation?