[jdev] Re: JEP-0027 (OpenPGP) implementation question

Matthew A. Miller linuxwolf at outer-planes.net
Tue Mar 7 07:05:09 CST 2006 

Note that the following assumes that one favors security with identity, 
not anonymity (-:

 From the perspective of the average user (like my father, siblings, and 
most of my coworkers and customers), obtaining a PGP key is just about 
as complex as obtaining an x.509 certificate (CA- or self-signed).  This 
means that user-friendly consumer-oriented software is going to end up 
generating the PGP key/x.509 certificate for the user.  And if one 
needed stronger trust, then you'd require keys or certificates that are 
signed by a trusted authority anyway.

I don't see why one couldn't also apply this type of trust to 
self-signed (or even signed) x.509 certificates.  As long as the 
certificate is valid, you can treat it as trusted if you're so 
disposed.  At this point, it's no different than trusting unsigned PGP 
keys.  Many of us already effectively do this everyday via our browser.  
It may not be considered the proper manner of working with certificates, 
but if I as a user decide I know better than the certificate chain, then 
that option should be open to me.

I'd like any standard that is developed to try and also accommodate 
organizations larger than mom and pop (or Aunt Tillie, or whatever the 
user-du-jour is now), and this is most likely going to mean the 
capability of supporting x.509 certificates.

But then, my opinion on how Jabber is going to take over the IM world 
are probably colored by my current employment (-:



Trejkaz wrote:
> Peter Saint-Andre wrote:
>> Now, neither OpenPGP or S/MIME enable you to repudiate what you said,
>> and if people find that important then they would need to do
>> JEP-0116 (or something very much like it, such as Gaim's OTR plugin).
>> So in part the differences here come down to requirements and
>> philosophy.
>
> Requirements are exactly it.  The two camps will never agree on which 
> style of cryptography to use, because:
>
> In the pro-OTR camp, everyone thinks that cryptography should be used in
> order to obfuscate what you said and remove traces that it was you who
> said it.  So OTR will appeal in use cases where you want some kind of 
> pseudo-anonymity.
>
> (OTOH, Normal Person + Internet + Anonymity = Total Jackhole)
>
> Then you have the pro-OpenPGP camp, people think that cryptography 
> should be used in order to be able to prove who said something, 
> _especially_ at a later point in time.  This is useful particularly in 
> business, when someone wants to archive conversations for later 
> auditing.)
>
> Also in this camp you have all the people who were already using 
> OpenPGP for some other reason, and therefore want to reuse their keys 
> which they spent hours getting signed by dozens of people.
>
>> But one thing that seems attractive about JEP-0116 is that it doesn't
>> require end users to create OpenPGP keys or obtain X.509
>> certificates, both of which are hard for end users.
>
> X.509 certificates are certainly too hard to obtain for most users, 
> mainly because they're worth practically nothing without the signature 
> from the CA (CAcert is of course available for no cost, but it still 
> takes time: time users can't be bothered to spend.)
>
> With OpenPGP, creating the keys is easy, if not trivial.  Getting them 
> signed (and hence trusted) takes the time.
>
> I guess you can blame a lot of that on the lack of a "simple" GUI for 
> signing keys (by "simple", I refer not to KDE or GNOME simplicity, but 
> MacOS simplicity.)
>
> I often wonder if an instant messaging client might one day provide 
> that simple interface...
>
>    User: [initiates chat to a contact who has signed their presence]
>    IM Client: "Are you absolutely sure this person is the one you wish
>                to talk to? [Yes/No/Ask me again later]"
>    User: Yes
>    IM Client: [signs the key with a relatively low, but good-enough
>                trust value.]
>
> Add a nice indicator next to your contacts who have untrusted keys, 
> and you have yourself an OpenPGP GUI which is almost as useful as the 
> more advanced alternatives.  It's not with "The Spirit" of OpenPGP 
> where you go and meet people in person, but it's certainly more 
> realistic for the ordinary user.
>
> TX

-- 
-  LW

"Got JABBER(R)?" <http://www.jabber.org/>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3543 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20060307/dda18ca5/attachment-0002.bin>

More information about the JDev mailing list