[JDEV] PGP / Public Key retrieval
max at quendi.de
Wed Oct 11 04:38:30 CDT 2000
At 21:18 Uhr -0500 10.10.2000, mark at mjwilcox.com wrote:
>Problems of CA's in general aside, the bigger issue is using PGP.
>PGP is a great system, but how are you going to get people to
>sign up with existing PGP key servers? In particular the masses of
>people who you want to use the system? If you're only concerned
>with talking with hackers, then PGP is fine.
>But to the masses (who don't really care about security in the first
>place, yes they want to be secure,but they don't want to deal with
>it), it's got to be dirt simple.
Sorry, but this is an illusion. It's the same as the masses believing
they're home computers are secure (ha ha ha), or there phone lines
secure (echelon...) or anything.
You can't have security without thinking! Point! Anything else is a
lie, maybe a lie which oneself believes, but a lie nevertheless (this
is not ment as an offense, just my opinion). Even if you use a PGP
key/certificate, but don't have a clue about it, it's not really safe
cause someone could trick you somehow.
I think that in reallity those masses will not bother to use *any*
encryption, just as they do with email. And email is almost even
easier to intercept cause it goes through multiple servers (Jabber
only through the receiving and the sending server).
>Thus you need a commercial infrastructure for it like Verisign (the
>MS monopoly of the 21st century), where I can go, give them $20
>and my credit card number & presto I have a digital certificate
>which I can use to authenticate to Web sites, sign email, and
>perhaps even sign Jabber.
Ha ha. only $20 and a credit card number, really? I didn't know
that.... you know how easy it is to get the name & credit card number
of someone (provided he uses it to pay online), if one only really
wants? Oh, and once you have the credit card, paying the $20 is easy,
Basing CAs on ID cards is safer, IMHO, but then again, do we trust
the goverment? Hm...
>Plus there are products like Netscape's Certificate server, Verisign
>Onsite and openSSL/openCA which allow organizations to manage
>their own certificates.
You are right. But SSL relies on CAs signing Certificates, thus we
have to use (centralised) CAs. The idea behind PGPs Web Of Trust is
to be decentralised and not to rely on a single CA or key signer. In
fact you could live without CAs if you wanted. Having many CAs helps,
though. Oh, and a key should be signed by multiple CAs and/or people
>It's a lot more than just picking a cool protocol. I've been managing
>certificates (it's a natural outgrowth of being a LDAP guru and
>webmaster) at a large organization for a long time now. Certificates
>aren't perfect, but it's easier IMHO to do this with existing
>infrastructure like X509 than PGP, in particular if you're looking at a
>broader, commercial market.
Certificates are not really easier. Basically, a PGP key pair signed
by one (or multiple CAs) is the same as a certificate signed by one
(or multiple) CAs. The only difference is the protocol, PGP (or
OpenPGP/GPG) or X509.
I don't see why Certificates are easier. The only technical
difference I see is this: PGP keys can live without CAs, if I want to
communicate with my closeset friends I can give them my key on a disk
and let them sign it and send it back to me, then can talk to their
If I use a Certificate/X509, I *have* to get it signed by a CA if I
want to make it trustable... Yeah, I can set up my own CA (even for
free if I'm a Unix guru and use OpenSSL or so), but don't tell me
that is easier for those "masses" compared to signing a key (which is
very easy using the graphical interfaces for PGP/GPG.
International C/C++/Internet Development
email: <mailto:max at quendi.de>
phone: (+49) 2621-188947
More information about the JDev