X.509 / PKI, PGP, and IBE Secure Email Technologies
Travis H.
solinym at gmail.com
Mon Dec 12 11:59:05 EST 2005
Not to side track the discussion, but frequently I've heard PKI
compared to PGP's model. Isn't PGP's trust model the same as everyone
being their own CA?
I find PGP to be problematic. Many keys I see are only self-signed,
and this includes important keys like CERT. Many others sit unsigned
on the same website you access to download the source code protected
by it. And 90% of the time when they have more than one signature you
don't have a key that signed the other party's key, so you get to do a
breadth-first search manual-like (pathserver being dead and all).
Even with kgpg pulling the keys from a keyserver for you, it's still
non-trivial.
I successfully inspired a local keysigning, but it seems like most of
the people didn't see any immediate benefit, and so declined to
participate. "What does this mean for me" was a common question. I
tried to explain the purpose, but I suspect it is too recondite or too
far removed from their experience. Perhaps I'd have better luck by
stating what kind of attacks it would prevent (email spoofing being
relatively rare, save for some obvious spam tactics). I'm open to any
suggestions along these lines.
--
http://www.lightconsulting.com/~travis/ -><- P=NP if (P=0 or N=1)
"My love for mathematics is unto 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list