[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] OpenPGP private certification [was: Re: Manifesto - who is the new OpenPGP for?]

Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> writes:

> By that I mean fixed in time. I agree that it does not need to be
> public. Only the hash needs to be enrolled.

Unfortunately it doesn't matter.  As soon as you require any kind of
"enrollment" the system fails.  Period.  This was (and still is, IMHO)
the major issue with X509/SMIME -- My mother would need to jump through
hoops that she doesn't understand how to jump through in order to get
set up in the system.  I.e., the system doesn't work until the user gets
blessed by some CA.

This is IMHO the power of the OpenPGP model -- generate and go.  From a
UI/UX perspective the system asks for some information (which
technically it already has when you create your email account) and it
generates a key pair for you.  Maybe it uploads it to a keyserver (which
I suppose some could consider "enrollment", but it's a far cry from X509
enrollment requirement).

>From this point on the OpenPGP user can encrypt messages to other people
and get encrypted messages to them.  The can choose to get their key
signed by others (or not).  They could get it signed from their
enterprise (if they are in a corporate environment -- my mother
certainly is not).  But the key (pun intended) is that the system works
without any certifications.

>From a usability perspective this is the model I would want to see.  I
honestly don't care if the actual messages are CMS or 4880 (although I
have a large disdain for all things ASN1).

So please, for all things sacred, let's not require any kind of
"enrollment" for the system to operate.

Now, if we want to talk about enrollment for "key lookup" properties, of
(non-required) certifications, or anything like that ... I'm all ears.
But it should not be a pre-requisite for a user to get up and running.


       Derek Atkins                 617-623-3745
       derek@xxxxxxxxx             www.ihtfp.com
       Computer and Internet Security Consultant

openpgp mailing list