[JDEV] PGP / Public Key retrieval

Tim McCune timm at channelpoint.com
Tue Oct 10 22:35:59 CDT 2000

Hash: SHA1

Of course, you only have to deal with all of this stuff if you're
worried about digitally signing your IM messages.  I couldn't care
less about this.  All I want is asymmetric key encryption, which is
what Imjay uses, and keeps it "dirt simple".

- -----Original Message-----
From: mark at mjwilcox.com [mailto:mark at mjwilcox.com]
Sent: Tuesday, October 10, 2000 8:18 PM
To: jdev at jabber.org
Subject: Re: [JDEV] PGP / Public Key retrieval

Problems of CA's in general aside, the bigger issue is using PGP. 
PGP is a great system, but how are you going to get people to 
sign up with existing PGP key servers? In particular the masses of 
people who you want to use the system? If you're only concerned 
with talking with hackers, then PGP is fine.

But to the masses (who don't really care about security in the first 
place, yes they want to be secure,but they don't want to deal with 
it), it's got to be dirt simple. 

Thus you need a commercial infrastructure for it like Verisign (the 
MS monopoly of the 21st century), where I can go, give them $20 
and my credit card number & presto I have a digital certificate 
which I can use to authenticate to Web sites, sign email, and 
perhaps even sign Jabber.

Plus there are products like Netscape's Certificate server, Verisign 
Onsite and openSSL/openCA which allow organizations to manage 
their own certificates. 

It's a lot more than just picking a cool protocol. I've been managing
certificates (it's a natural outgrowth of being a LDAP guru and 
webmaster) at a large organization for a long time now. Certificates 
aren't perfect, but it's easier IMHO to do this with existing 
infrastructure like X509 than PGP, in particular if you're looking at
broader, commercial market.


On 10 Oct 00, at 18:05, Max Horn wrote:

> At 11:43 Uhr -0400 10.10.2000, Peter Millard wrote:
> >I've already looked at dealing w/ PGP inside of Winjab and have
> >thought about this and discussed it at some length w/ jer +
> >others..
> >
> >The big IMPORTANT thing about passing key's around is
> >"authenticity" of the actual key. This is the entire reason that
> >key servers exist... so that just 'anyone' can't send you a public
> >key since you have no way of "knowing" that the other "end" of the
> >Jabber connection isn't a hacker/spoofer/etc..  
> >
> >The Public key servers are "trusted authorities" so that we both
> >trust the server, thus, we can "safely" exchange public keys with
> >it.
> >
> >IMO, the ONLY way that a Jabber client should fetch keys is by
> >doing it through an existing public key server.. or force the user
> >to use the PGP/GPG key utilities to find the key first, and just
> >use the existing key ring.  
> >
> >Temas - am I on the right track here?? :) We talked about this @
> >OSS and this is what I remember from that discussion.
> I completly disagree! Keyservers are *not* "trusted authorities" ! 
> You misunderstood the PGP principle IMHO.
> Keysevers can be victims of spoof attacks etc. just like anyone
> else.  In addition, anyone can put a key on a keyserver, faked as
> well as  real keys. (Faked meaning: they bear an email address that
> doesn't  match the real creator).
> The only two ways to validate a key is 1) you get the key from 
> someone you can trust in a *physically* way (e.g. on a disk) or 2) 
> the key is signed by some (or better more) keys which are already 
> trusted by you. This is how CAs work: they sign your key (marking
> it  as trusted & valid) only when you can physically proof it is
> yours.  Since you got the public key of the CA you can be sure
> other keys  signed by that CA a valid (if you trust them is
> something else, but  you can be sure the email/name on the key are
> correct).
> Bye,
> Max
> -- 
> -----------------------------------------------
> Max Horn
> International C/C++/Internet Development
> email: <mailto:max at quendi.de>
>    web: <http://www.quendi.de>
> phone: (+49) 2621-188947
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

Mark Wilcox
mark at mjwilcox.com

jdev mailing list
jdev at jabber.org

Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>


More information about the JDev mailing list