Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
Derek Atkins <derek@ihtfp.com> Thu, 07 July 2016 14:45 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF40F12D692 for <openpgp@ietfa.amsl.com>; Thu, 7 Jul 2016 07:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOyyUqPCkQuO for <openpgp@ietfa.amsl.com>; Thu, 7 Jul 2016 07:45:51 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDA7B12D7C7 for <openpgp@ietf.org>; Thu, 7 Jul 2016 07:45:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 9DD8CE2039; Thu, 7 Jul 2016 10:45:19 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 16041-09; Thu, 7 Jul 2016 10:45:17 -0400 (EDT)
Received: from securerf.ihtfp.org (IHTFP-DHCP-159.IHTFP.ORG [192.168.248.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 9F5A1E2030; Thu, 7 Jul 2016 10:45:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1467902717; bh=a7ZBkM5uXxA68P202P3+5J3RQkctvbCbWlhIqKciFbE=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=ERKVTyMs4PP/Qh1oHXc+IwMB7i86I7gHIXLIUCXR2M/2Gujohy9oodht+BfRL6YCE MOroxbMGwV+dULdo+0VGpScB1N8fEHAUoTe+0w3/qv7vnP0JS3joFoj5fGfXPG2vZT ZhxOWqeJ8KHfvfd7AEw9lOMnAgLSgcWvOusgfNIY=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id u67EjHXS009004; Thu, 7 Jul 2016 10:45:17 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <20160701153304.332d2c95@pc1> <874m86xq04.fsf@alice.fifthhorseman.net> <9A043F3CF02CD34C8E74AC1594475C73F4CB97D2@uxcn10-5.UoA.auckland.ac.nz> <5779E086.9000506@brainhub.org> <BAB41369-E007-4342-8E89-1F023EA851E1@icloud.com> <CAMm+Lwj5F3x4pqGQ2DjDxAqGxsoiBSqK5ToFi-A-nouNDPeH_A@mail.gmail.com> <sjmwpkyq0bd.fsf@securerf.ihtfp.org> <CAMm+Lwg1nsWXPo3VzDs-nLo0ChYSr0RiTyZUR4JvL_yd88ZWsQ@mail.gmail.com>
Date: Thu, 07 Jul 2016 10:45:17 -0400
In-Reply-To: <CAMm+Lwg1nsWXPo3VzDs-nLo0ChYSr0RiTyZUR4JvL_yd88ZWsQ@mail.gmail.com> (Phillip Hallam-Baker's message of "Wed, 6 Jul 2016 18:12:25 -0400")
Message-ID: <sjminwhpkw2.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/MehJjKaYgJwCDUVSB702Lc4eb-Q>
Cc: IETF OpenPGP <openpgp@ietf.org>, Jon Callas <joncallas@icloud.com>
Subject: Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 14:45:54 -0000
Phillip Hallam-Baker <phill@hallambaker.com> writes: > OpenPGP can support hierarchical certificate deployments just fine (my > company is building one) as well as the Web of Trust model. X.509 > cannot support a Web of Trust deployment, period. > > So there is a clear winner here. > > > You can in fact make X.509 do Web of trust. You simply give each user their > own CA root and cross certify. I guess X.509v3 does, theoretically, allow multiple signatures on a certificate, but I was under the impression that zero implementations actually supported that? > I was doing that for quite a while till I realized that the legacy stuff was > hurting rather than helping. Yes you can get the protocols to do more than the > apps let them. But you don't have the advantage of legacy platform support or > legacy platform ignoring your stuff in a predictable way. The nice thing here is that legacy OpenPGP apps DO support hierarchical deployments without any changes. The only thing you need to do for OpenPGP is that you need to tell the program to trust the CA. This does have the benefit (or I suppose if you come from an X.509 world it's a drawback) that each user needs to declare which CAs are trusted. I am curious in what way you found the legacy OpenPGP deployments didn't support hierarchical trust? Or are you saying that legacy X.509 didn't support a Web of Trust model (which, honestly, doesn't surprise me). -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Werner Koch
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Phillip Hallam-Baker
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Derek Atkins
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Phillip Hallam-Baker
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Jon Callas
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Peter Gutmann
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Andrey Jivsov
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Peter Gutmann
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Daniel Kahn Gillmor
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Watson Ladd
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Vincent Breitmoser
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Phillip Hallam-Baker
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Peter Gutmann
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Phillip Hallam-Baker
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Derek Atkins
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Thijs van Dijk
- [openpgp] Can the OpenPGP vs. S/MIME situation be… Hanno Böck
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Phillip Hallam-Baker
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… ianG
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Stephen Paul Weber
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Phillip Hallam-Baker
- Re: [openpgp] Can the OpenPGP vs. S/MIME situatio… Derek Atkins