[Gpg4win-users-en] S/MIME vs. OpenPGP

Bernhard Reiter bernhard at intevation.de
Tue Sep 9 09:05:39 CEST 2014 

On Monday 08 September 2014 at 16:02:42, Werner Koch wrote:
> On Mon,  8 Sep 2014 09:58, bernhard at intevation.de said:
> However. in practise CRLs do not work on a global scale.

There are a number of working examples, but I agree that they have problems.
Especially since nss (from mozilla) does not enable them by default (AFAIR).

We came from the question what the use of dirmngr is, I just tried to explain 
it: There are a number of nicely working real world examples where dirmngr 
does the crl checks just fine, so validity information is quite current and 
minimally requested over the wire.

> > Of course someone could run a similiar service for OpenPGP's
> > certificates, but this is less frequently done.-
>
> You have the numbers?  I can only guess.  Broken CRLs often go
> undetected for weeks but when I released a GnuPG version with a bug in
> --refresh-keys it took only hours for people to detect that.

Educating guessing, just like you.

> > The result of the usage of web of trust that I've seen is that it is very
> > hard to find certificates of communication partners that you rarely
> > communicate with. 

> So what?  You need a trusted communication channel to someone you don't
> know?  No key validation scheme will help you here.  Without having an
> established trust connection to your peer you won't send him
> confidential data anyway.

People do this all the time, though. Usually is it someone you know and you 
want to establish that the certificate belongs to this person (with a good 
chance).

> Similar to keyservers an LDAP does give you any hin on the validity
> (trust) of the key (certifciate).

Does not... yes.

> > I guess we both agree that the currently used systems need a lot of
> > improvements.
>
> S/MIME is broken by design because it has been build on the assumption
> of a global directory (X.500 the global directory of the X.400 mail
> system).  This global directory does not exists and thus S/MIME requires
> dozens of sometimes contradicting workarounds and a lot of hand waving.

I agree that the overall design never worked out. It also does not make too 
much sense to me, because I want people to have aliases, so they can keep 
multiple identities. Still S/MIME is in use and where it is used in an okay 
way, it provides reasonable end-to-end security. 

> OpenPGP steps that all aside and does not define any infrastructure.
> Nevertheless the keyservers came to life and are still the easiest way
> to find a key for a mail address and to upload a revocation.

In my humble opinion, the usability of this OpenPGP mechanism is worse than 
the mechanism of S/MIME right now. But we need to understand this in order to 
improve OpenPGP (or other solutions), so I think it is okay to speak openly 
about it. Your STEED proposal also addresses this point.

Anyway, I think that we should take this discussion to a different place,
this is a users list after all. ;)

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20140909/2baf27ed/attachment.sig>

More information about the Gpg4win-users-en mailing list