Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

Derek Atkins <> Thu, 07 July 2016 14:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF40F12D692 for <>; Thu, 7 Jul 2016 07:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LOyyUqPCkQuO for <>; Thu, 7 Jul 2016 07:45:51 -0700 (PDT)
Received: from (MAIL2.IHTFP.ORG []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EDA7B12D7C7 for <>; Thu, 7 Jul 2016 07:45:50 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9DD8CE2039; Thu, 7 Jul 2016 10:45:19 -0400 (EDT)
Received: from ([]) by localhost ( []) (amavisd-maia, port 10024) with ESMTP id 16041-09; Thu, 7 Jul 2016 10:45:17 -0400 (EDT)
Received: from (IHTFP-DHCP-159.IHTFP.ORG []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by (Postfix) with ESMTPS id 9F5A1E2030; Thu, 7 Jul 2016 10:45:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1467902717; bh=a7ZBkM5uXxA68P202P3+5J3RQkctvbCbWlhIqKciFbE=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=ERKVTyMs4PP/Qh1oHXc+IwMB7i86I7gHIXLIUCXR2M/2Gujohy9oodht+BfRL6YCE MOroxbMGwV+dULdo+0VGpScB1N8fEHAUoTe+0w3/qv7vnP0JS3joFoj5fGfXPG2vZT ZhxOWqeJ8KHfvfd7AEw9lOMnAgLSgcWvOusgfNIY=
Received: (from warlord@localhost) by (8.15.2/8.14.8/Submit) id u67EjHXS009004; Thu, 7 Jul 2016 10:45:17 -0400
From: Derek Atkins <>
To: Phillip Hallam-Baker <>
References: <20160701153304.332d2c95@pc1> <> <> <> <> <> <> <>
Date: Thu, 07 Jul 2016 10:45:17 -0400
In-Reply-To: <> (Phillip Hallam-Baker's message of "Wed, 6 Jul 2016 18:12:25 -0400")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <>
Cc: IETF OpenPGP <>, Jon Callas <>
Subject: Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Jul 2016 14:45:54 -0000

Phillip Hallam-Baker <> writes:

>     OpenPGP can support hierarchical certificate deployments just fine (my
>     company is building one) as well as the Web of Trust model.  X.509
>     cannot support a Web of Trust deployment, period.
>     So there is a clear winner here.
> ​
> You can in fact make X.509 do Web of trust. You simply give each user their
> own CA root and cross certify.

I guess X.509v3 does, theoretically, allow multiple signatures on a
certificate, but I was under the impression that zero implementations
actually supported that?

> I was doing that for quite a while till I realized that the legacy stuff was
> hurting rather than helping. Yes you can get the protocols to do more than the
> apps let them. But you don't have the advantage of legacy platform support or
> legacy platform ignoring your stuff in a predictable way.

The nice thing here is that legacy OpenPGP apps DO support hierarchical
deployments without any changes.  The only thing you need to do for
OpenPGP is that you need to tell the program to trust the CA.  This
does have the benefit (or I suppose if you come from an X.509 world it's
a drawback) that each user needs to declare which CAs are trusted.

I am curious in what way you found the legacy OpenPGP deployments didn't
support hierarchical trust?   Or are you saying that legacy X.509 didn't
support a Web of Trust model (which, honestly, doesn't surprise me).


       Derek Atkins                 617-623-3745   
       Computer and Internet Security Consultant