RE: PGP kerserver infrastructure
From: Albert Levi: Thursday, June 29, 2000 7:35 PM
"Roeland M.J. Meyer" wrote:
Most modern mailers support X.509 certs for encryption. PGP is considerd, by many, to be the older technology. Building PKI around X.509 is much easier and meets actual existing standards.
Well, X.509 is as old as PGP (rf. PEM which was X.509 based). I agree that X.509 based PKIs are easier to built, but easiness does not mean usability. The trust structures embedded in X.509 certs are not acceptable for a large number of PGP users.
I think the large number of PGP users and the current grow rate determine whether it is old or not. Maybe it is not the "standard", but that many PGP users could not be wrong !
It is not an issue of right/wrong. Rather, it is an issue of what is most usable to the most people. SSL certs are certainly more usable to many. PGP works with ancient CLI mailers and older GUI mailers. All modern GUI mailers support X.509 keys for message encryption and even let you use the same cert for SSL protected POP3. PGP, OTOH, only encrypts the message body, this is why it's popularity is reducing. In addition, even you agree that an X.509 PKI is easier to build. Maybe because of the reasons I give here.
On Fri, 30 Jun 2000 01:07:18 PDT, "Roeland M.J. Meyer" said:
It is not an issue of right/wrong. Rather, it is an issue of what is most usable to the most people. SSL certs are certainly more usable to many. PGP works with ancient CLI mailers and older GUI mailers. All modern GUI mailers support X.509 keys for message
All modern GUI? Odd.. I didn't add X.509 to Exmh yet. ;) Eudora 4.3, which certainly qualifies as "modern GUI" doesn't seem to come with X.509 support, although it does come with a PGP plugin bundled. If there *is* X.509 support, feel free to point it at me. I know Netscape seems to support pcks-7 signatures, and I'm unsure what Outlook supports.
encryption and even let you use the same cert for SSL protected POP3. PGP, OTOH, only encrypts the message body, this is why it's
Umm.. note that the message headers have to be in cleartext for the MTA to be able to deal with them. Sendmail 8.11 (currently in Beta) will support TLS for the inter-MTA hop. However, given that Sendmail has between 70% and 90% of the MTA market, your *current* chances of doing long-haul e-mail with encrypted headers is rather low. Just because you use SSL for the MUA-to-MTA transmission does NOT mean that you have a crypto-secure MUA-to-MUA connection.
popularity is reducing. In addition, even you agree that an X.509
Popularity reducing? Didn't I just see where the keyservers are seeing an additional 2,500 keys *per day*? Given the 1M keys they say they have currently, I work that out to 7.5% growth *PER MONTH*. Not bad for popularity reducing... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 30 Jun 2000 Valdis.Kletnieks@vt.edu wrote:
On Fri, 30 Jun 2000 01:07:18 PDT, "Roeland M.J. Meyer" said:
It is not an issue of right/wrong. Rather, it is an issue of what is most usable to the most people. SSL certs are certainly more usable to many. PGP works with ancient CLI mailers and older GUI mailers. All modern GUI mailers support X.509 keys for message
All modern GUI? Odd.. I didn't add X.509 to Exmh yet. ;)
Eudora 4.3, which certainly qualifies as "modern GUI" doesn't seem to come with X.509 support, although it does come with a PGP plugin bundled. If there *is* X.509 support, feel free to point it at me.
I know Netscape seems to support pcks-7 signatures, and I'm unsure what Outlook supports.
As of yet, there is no PGP support in Netscape. Outlook and Outlook Express both have plugins for PGP.
Popularity reducing? Didn't I just see where the keyservers are seeing an additional 2,500 keys *per day*? Given the 1M keys they say they have currently, I work that out to 7.5% growth *PER MONTH*. Not bad for popularity reducing...
Yep. X.509 is definately better suited for certain situations, especially where certificate chaining is required. I cannot, however, envision that the X.509/-slash-S/MIME standards will ever become more popular for email usage. They are just too anti-user. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5XPmrPYrxsgmsCmoRArVUAKCjbSHdoA7pi1fp3zsFwk9eKs19gQCfV9iG K3RplHx1r4V8b30ElNkA5zc= =bAdp -----END PGP SIGNATURE-----
From: L. Sassaman [mailto:rabbi@quickie.net] Sent: Friday, June 30, 2000 12:49 PM
On Fri, 30 Jun 2000 Valdis.Kletnieks@vt.edu wrote:
X.509 is definately better suited for certain situations, especially where certificate chaining is required. I cannot, however, envision that the X.509/-slash-S/MIME standards will ever become more popular for email usage. They are just too anti-user.
I hope you don't mind if I disagree. The way Outlook 2K works with certs and other SSL items is almost painless. Note that this message is generated with Outlook. To consider Outlook anti-user (different from anti-consumer) is indeed myopic. ALso, Yes, EudoraPro is the superior MUA and it doesn't do X.509 easily, however it also doesn't do calendar, tasks, and other workgroup stuff, which is the reason that I reluctantly switched from there. Corporate America does Outlook, Lotus Domino, or some other WG aware package. Those that do not are out-of-the-loop. I will concede the issue of making other mailers S/MIME capable may be a PITA. But I conceded that point at the start. The bottom-line is that every eCommerce site must have these certs to do SSL. This drives the build-out of the X.509 PKI. PGP has no such incentive. Also, I must use different keys for client-side web-certs than for client email. .. NOT gonna happen for long. If you take the above two points significantly (and you don't have to), they spell out a strong favor to X.509. Yes, this is not a technical argument. However, I still think it is valid. The world is headed towards X.509 for reasons having nothing to do with technical merits, other than that it works sufficiently well. That point may be arguable, but what is not arguable is that X.509 certs are not going away anytime soon. They are just too useful and all SSL sites are dependent on them. My question is, why have two disparate systems? Further, why re-invent the PKI wheel? Much of what you say WRT OpenCA, is easily countered. Besides, there are commercial CAs available already. Or is it that you are trying to say that PGP PKI is as developed as SSL PKI? Is is only a "Simple Matter of Programming?" I don't think that states the issues well at all. BTW, as I said earlier, it is NOT a matter of right/wrong. It is a relative value issue. Both are right, both work sufficiently, PGP PKI would take more development work. Why do you have to make this a bi-polar situation?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 30 Jun 2000, Roeland M.J. Meyer wrote:
It is not an issue of right/wrong. Rather, it is an issue of what
Actually, it is. You are wrong.
is most usable to the most people. SSL certs are certainly more usable to many. PGP works with ancient CLI mailers and older GUI mailers. All modern GUI mailers support X.509 keys for message encryption and even let you use the same cert for SSL protected POP3. PGP, OTOH, only encrypts the message body, this is why it's
Ever heard of PGP/MIME? Look at RFC 2015.
popularity is reducing. In addition, even you agree that an X.509 PKI is easier to build. Maybe because of the reasons I give here.
Most of the encrypted traffic on the Internet is PGP traffic. Methinks you are a tad confused. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5XPfIPYrxsgmsCmoRAmOPAJ9gaRntflX5w2G085BcArP9vexjUgCgzzK2 /fZGCAFP82LBsuCbUhaB97k= =Wpcp -----END PGP SIGNATURE-----
Most of the encrypted traffic on the Internet is PGP traffic. Methinks you are a tad confused.
if you actually meant signed/encrypted email, then i agree with you. if i take you literally, i disagree and believe ssl and ssh predominate with ipsec vpns catching up. randy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 30 Jun 2000, Randy Bush wrote:
Most of the encrypted traffic on the Internet is PGP traffic. Methinks you are a tad confused.
if you actually meant signed/encrypted email, then i agree with you.
Oops. Sorry, yes, that's what I mean.
if i take you literally, i disagree and believe ssl and ssh predominate with ipsec vpns catching up.
Yep. Thanks for correcting that. What I was refering to is encrypted traffic where the user is actively encrypting something (email, attached email files, etc.) - --Len. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5XPo7PYrxsgmsCmoRAmT8AJ4gbXafoNyvQG1GOhbQlK6Ud49eWACeNs0s Yyjmnm1u0k6ZSl8J3TBcwy4= =wlAR -----END PGP SIGNATURE-----
On Fri, Jun 30, 2000 at 12:40:46PM -0700, L. Sassaman wrote:
usable to many. PGP works with ancient CLI mailers and older GUI mailers. All modern GUI mailers support X.509 keys for message encryption and even let you use the same cert for SSL protected POP3. PGP, OTOH, only encrypts the message body, this is why it's
Ever heard of PGP/MIME? Look at RFC 2015.
To be fair, even you aren't using it. :-)
On Fri, 30 Jun 2000 15:57:06 EDT, Shawn McMahon <smcmahon@eiv.com> said:
On Fri, Jun 30, 2000 at 12:40:46PM -0700, L. Sassaman wrote:
Ever heard of PGP/MIME? Look at RFC 2015. To be fair, even you aren't using it. :-)
Some of us *do* use it, in spite of the complaints it generates. ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Fri, Jun 30, 2000 at 04:14:06PM -0400, Valdis.Kletnieks@vt.edu wrote:
Some of us *do* use it, in spite of the complaints it generates. ;)
Yeah, I think he was actually using it too; I had Mutt misconfigured on this box. (Well, OK, Mutt was right, procmail was misconfigured.)
2000-06-30-15:57:06 Shawn McMahon:
2000-06-30-15:40:46 L. Sassaman:
Ever heard of PGP/MIME? Look at RFC 2015.
To be fair, even you aren't using it. :-)
Yup. I abandoned it briefly myself. Seems that various versions of various MUAs under Windows go way, way out of their way to screw up PGP/MIME, making the normal body of the message look like some kind of unknown binary attachment, popping up warnings that it might have a virus, etc. --- the same programs that silently just run .SHS attachments that they present to the user as being simple text files. In an attempt to make life a little easier for people running that grade of software, I experimented for a bit with turning off the PGP/MIME stuff and having my mutt generate text/plain with clearsigned messages in the body. Then I got more severe complaints, people who'd been able to read my email before no longer could, it was arriving mushed into some kind of random binary crud. So I switched back to PGP/MIME. Seems to be the least awful of the alternatives available today, at least for people who are about email privacy or authentication. Of course for people who care primarily about enriching CAs, what you want is S/MIME:-). -Bennett
Bennett Todd: Friday, June 30, 2000 1:18 PM
2000-06-30-15:57:06 Shawn McMahon:
2000-06-30-15:40:46 L. Sassaman:
Ever heard of PGP/MIME? Look at RFC 2015.
To be fair, even you aren't using it. :-)
Yup.
people who are about email privacy or authentication. Of course for people who care primarily about enriching CAs, what you want is S/MIME:-).
This is not true for those whom are their own CAs. You should read some of Ed Gerck's treatises on mutual trust issues, sometime.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 30 Jun 2000, Shawn McMahon wrote:
On Fri, Jun 30, 2000 at 12:40:46PM -0700, L. Sassaman wrote:
usable to many. PGP works with ancient CLI mailers and older GUI mailers. All modern GUI mailers support X.509 keys for message encryption and even let you use the same cert for SSL protected POP3. PGP, OTOH, only encrypts the message body, this is why it's
Ever heard of PGP/MIME? Look at RFC 2015.
To be fair, even you aren't using it. :-)
Correct. Stanard clear-signed PGP messages are supported more widely, and I have no need to sign my headers. If I were sending messages with attachments, etc., it would be a different case. __ L. Sassaman System Administrator | Technology Consultant | "Common sense is wrong." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5XQSEPYrxsgmsCmoRAiwgAKDKtXTMhTxzZMTlc755ms7Pse2v/wCfVkdj xgErVTPufaQkFpTFGgDaAvs= =QdM+ -----END PGP SIGNATURE-----
participants (6)
-
Bennett Todd
-
L. Sassaman
-
Randy Bush
-
Roeland M.J. Meyer
-
Shawn McMahon
-
Valdis.Kletnieks@vt.edu