[JDEV] PGP / Public Key retrieval

Max Horn max at quendi.de
Wed Oct 11 04:38:30 CDT 2000 

At 21:18 Uhr -0500 10.10.2000, mark at mjwilcox.com wrote:
>Problems of CA's in general aside, the bigger issue is using PGP.
>PGP is a great system, but how are you going to get people to
>sign up with existing PGP key servers? In particular the masses of
>people who you want to use the system? If you're only concerned
>with talking with hackers, then PGP is fine.
>
>But to the masses (who don't really care about security in the first
>place, yes they want to be secure,but they don't want to deal with
>it), it's got to be dirt simple.

Sorry, but this is an illusion. It's the same as the masses believing 
they're home computers are secure (ha ha ha), or there phone lines 
secure (echelon...) or anything.

You can't have security without thinking! Point! Anything else is a 
lie, maybe a lie which oneself believes, but a lie nevertheless (this 
is not ment as an offense, just my opinion). Even if you use a PGP 
key/certificate, but don't have a clue about it, it's not really safe 
cause someone could trick you somehow.


I think that in reallity those masses will not bother to use *any* 
encryption, just as they do with email. And email is almost even 
easier to intercept cause it goes through multiple servers (Jabber 
only through the receiving and the sending server).



>Thus you need a commercial infrastructure for it like Verisign (the
>MS monopoly of the 21st century), where I can go, give them $20
>and my credit card number & presto I have a digital certificate
>which I can use to authenticate to Web sites, sign email, and
>perhaps even sign Jabber.

Ha ha. only $20 and a credit card number, really? I didn't know 
that.... you know how easy it is to get the name & credit card number 
of someone (provided he uses it to pay online), if one only really 
wants? Oh, and once you have the credit card, paying the $20 is easy, 
too :)

Basing CAs on ID cards is safer, IMHO, but then again, do we trust 
the goverment? Hm...



>Plus there are products like Netscape's Certificate server, Verisign
>Onsite and openSSL/openCA which allow organizations to manage
>their own certificates.

You are right. But SSL relies on CAs signing Certificates, thus we 
have to use (centralised) CAs. The idea behind PGPs Web Of Trust is 
to be decentralised and not to rely on a single CA or key signer. In 
fact you could live without CAs if you wanted. Having many CAs helps, 
though. Oh, and a key should be signed by multiple CAs and/or people 
anyway.



>
>It's a lot more than just picking a cool protocol. I've been managing
>certificates (it's a natural outgrowth of being a LDAP guru and
>webmaster) at a large organization for a long time now. Certificates
>aren't perfect, but it's easier IMHO to do this with existing
>infrastructure like X509 than PGP, in particular if you're looking at a
>broader, commercial market.

Certificates are not really easier. Basically, a PGP key pair signed 
by one (or multiple CAs) is the same as a certificate signed by one 
(or multiple) CAs. The only difference is the protocol, PGP (or 
OpenPGP/GPG) or X509.

I don't see why Certificates are easier. The only technical 
difference I see is this: PGP keys can live without CAs, if I want to 
communicate with my closeset friends I can give them my key on a disk 
and let them sign it and send it back to me, then can talk to their 
friends, too.


If I use a Certificate/X509, I *have* to get it signed by a CA if I 
want to make it trustable... Yeah, I can set up my own CA (even for 
free if I'm a Unix guru and use OpenSSL or so), but don't tell me 
that is easier for those "masses" compared to signing a key (which is 
very easy using the graphical interfaces for PGP/GPG.



Bye,

Max

-- 
-----------------------------------------------
Max Horn
International C/C++/Internet Development

email: <mailto:max at quendi.de>
   web: <http://www.quendi.de>
phone: (+49) 2621-188947

More information about the JDev mailing list