IETF Logo Mail Archive

Re: not really pgp signing in van

"John R Levine" <johnl@taugh.com> Tue, 10 September 2013 01:26 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEF3E21E8116 for <ietf@ietfa.amsl.com>; Mon, 9 Sep 2013 18:26:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOFVP5ZrUxxF for <ietf@ietfa.amsl.com>; Mon, 9 Sep 2013 18:26:44 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 25EE221E8107 for <ietf@ietf.org>; Mon, 9 Sep 2013 18:26:43 -0700 (PDT)
Received: (qmail 65364 invoked from network); 10 Sep 2013 01:26:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=ff53.522e7552.k1309; bh=jCq3+nySoNB4K5C8bhKFWmn6+NIptG6DGN8OuW8TrrM=; b=jyKh8r6HFZ7RsLt4UxYY4SDweaRhIjY7aJVZ891USnb1bqUjGy31D7qpJsqzdt9cznkGPfvX2frMMPHTw8nke0O203l0hyo5hBYblP5DDP3+h36FG7oVR/Bz88G+U0wrNT5PljOf7n/axA88OaacGt5TWdVNXrdDvUcxMBx9CzodjUZv3XBIQpPdrIj8/CoeXHQNqpsJVwILcoQXpVs8NKnCDVTIXSeSte3wYeCr5LKZtYiFT+whLAY59XGa34Tu
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=ff53.522e7552.k1309; bh=jCq3+nySoNB4K5C8bhKFWmn6+NIptG6DGN8OuW8TrrM=; b=o0/L1ft58lFOnecHEmP8i7gB+ZiedVkLwgenw4epmmYZUyZ5KEcpFukpF0glzWoehlbtNy6ZACsGthyJ8XMRETbTZb0O/YOCP6uqPziuqZIAQaPPA73Jf6bz24pUAQmKOD1btNGoTRRti2PVAPGTlRAGXM28Fr5dQDTdOtm2i3Ex5vFOH4FnB6XXzrnms0xikLx+pWuvB0/uky3lnS9y3XCbCkFAXNYzz7d4/CHMegMgg2ptgDebrsiIB+y8FzcJ
Received: (ofmipd 127.0.0.1); 10 Sep 2013 01:26:20 -0000
Date: Mon, 09 Sep 2013 21:26:42 -0400
Message-ID: <alpine.BSF.2.00.1309092125360.34090@joyce.lan>
From: John R Levine <johnl@taugh.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: not really pgp signing in van
In-Reply-To: <8D23D4052ABE7A4490E77B1A012B63077527E234@mbx-01.win.nominum.com>
References: <20130910010719.33978.qmail@joyce.lan> <8D23D4052ABE7A4490E77B1A012B63077527E234@mbx-01.win.nominum.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: MULTIPART/signed; protocol="application/pkcs7-signature"; micalg="sha1"; BOUNDARY="3825401791-120024193-1378776402=:34090"
Cc: "<ietf@ietf.org>" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 01:26:45 -0000

> > Yes, and no.  PGP and S/MIME each have their own key distribution
> > problems.  With PGP, it's easy to invent a key, and hard to get other
> > people's software to trust it.  With S/MIME it's harder to get a key,
> > but once you have one, the software is all happy.
>
> That's a bug, not a feature.   The PGP key is almost certainly more trust=
worthy than the S/MIME key.

Um, didn't this start out as a discussion about how we should try to get
people using crypto, rather than demanding perfection that will never
happen?  Typical S/MIME keys are issued by CAs that verify them by
sending you mail with a link.  While it is easy to imagine ways that
could be subverted, in practice I've never seen it.

> > The MUAs I use (Thunderbird, Alpine, Evolution) support S/MIME a lot
> > better than they support PGP.  There's typically a one key command or
> > a button to turn signing and encryption on and off, and they all
> > automagically import the certs from on incoming mail.

> Yup.  That's also a bug, not a feature.  I was just wondering why that 
> is.  The only implementation I've seen a reference to is Sylpheed, which 
> is not widely used

Same issue.  I can send signed mail to a buttload more people with
S/MIME than I can with PGP, because I have their keys in my MUA.
Hypothetically, one of them might be bogus.  Realistically, they aren't.

R's,
John

v2.23.0 | Report a Bug | By Email