[Gpg4win-devel] vs S/MIME (Re: Putty and ECDSA support for gpg-agent in 2.0)
Dr. Peter Voigt
pvoigt at uos.de
Wed Jul 10 13:15:30 CEST 2013
Am Wed, 10 Jul 2013 12:27:07 +0200
schrieb Bernhard Reiter <bernhard at intevation.de>:
> On Wednesday 10 July 2013 at 11:46:14, Dr. Peter Voigt wrote:
> > I've been trying to marginally follow this topic. I'm afraid I've
> > lost the red line. I've got the impression that topic changes from
> > the initial root CA dialog of the installer to a more generell
> > discussion about S/MIME versus OpenPGP. Please excuse me, if I'm
> > wrong and feel free to correct me.
>
> You are spot on, the connection is:
> The desired level of S/MIME support of the product is an input to the
> question if the root cert dialog is needed.
>
> > Even at the risk of extending the already confusing thread I would
> > like to re-focus at the initial question again. If I got the initial
> > question right, I have to admit that the root CA installation
> > dialog has never been of any use for me and should be dropped. I
> > cannot imagine that it might be useful to anybody.
>
> Thanks for that feedback. Why was it not useful for you?
> Did you know the information already?
>
I cannot exactly remember the content of the dialog anymore. But
most annoying fact to me was that there is not the one Root CA. You can
only assume that it's meant to be the Root CA that might have issued
your email certificate and private key. And moreover, even if you know
this information during installation you should configure it better
after installation - just the same way you do it with your OpenPGP
private/public key and all the S/MIME keys/certificates. And all
those people that want to use Gpg4win just for OpenPGP email
communication simply do not need any Root CA at that stage of
installation and maybe even never later on.
As I suppose most people use Gpg4win for secure email communication.
And most of them do prefer OpenPGP to S/MIME for it. That is
particularly true as it is much harder to get an S/MIME private key and
certificate - independently if you have issued it with your own PKI and
CA or if you have received it issued by an official CA. And key
distribution is much easier with OpenPGP as you can simply use all
those public keyservers. To my knowledge there is no such mechanism to
receive S/MIME certs. It's time consuming to collect all needed
certificates for a verification of the complete certificate chain.
That's why the Root CA dialog should not appear during installation of
Gpg4win: It will mostly not address the right user group.
Regards,
Peter
More information about the Gpg4win-devel
mailing list