Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

Thijs van Dijk <schnabbel@inurbanus.nl> Fri, 01 July 2016 15:01 UTC

Return-Path: <schnabbel@inurbanus.nl>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0483012D695 for <openpgp@ietfa.amsl.com>; Fri, 1 Jul 2016 08:01:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.034
X-Spam-Level:
X-Spam-Status: No, score=-2.034 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=inurbanus.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHUrWKVvlXOI for <openpgp@ietfa.amsl.com>; Fri, 1 Jul 2016 08:01:30 -0700 (PDT)
Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D94A12D692 for <openpgp@ietf.org>; Fri, 1 Jul 2016 08:01:29 -0700 (PDT)
Received: by mail-vk0-x234.google.com with SMTP id m127so96913836vkb.3 for <openpgp@ietf.org>; Fri, 01 Jul 2016 08:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inurbanus.nl; s=google-inurb; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gh4U/COEFN7fWPm4KI7nS79F2MgsTXTAwh5gu4ygvKI=; b=c/aAcFeowMgsiEVSgb5TiOsRVW4zVx7gwvXMXAqOQkMzURlHQNR3Z/I/rwfF5f5cZE pKZsBJO+WSbuMyoRhwv9NQhKpJh3jQ1PuOdL0Gw5t9mg7SWgozL88ZsewgnY3GISPosC iNRSFKRCRGlP8zQ0FP7JRUN/cA1e5dnUSDZ7s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gh4U/COEFN7fWPm4KI7nS79F2MgsTXTAwh5gu4ygvKI=; b=Ino7XK2EH5mGJIAwyqetcCtGAeJ27lqN2md7j1ZHGHB0NqX3zGLE0BZoAhHUp2X5Zd PWIj0s/T3coZekXjSindIvCDQ3Hlk6vMWUBM8UBVyhERAV9/uRcEuy/dh0h3ak50PFhW lFQY6REuYxbe8R4KNMKz9/ah4UA70CxQUbPhyjED9+QogFj05toyjTcDQ8QePjIXIKcA EGXCFbsKzFB3JcDT76fR9LVRLfTry+wePNJMRt7YT7chyrm1mSr+WLv24c5IWXJNUpl7 d8HCQ75yhdEyTBUyzvoMgqntj4qZT5UlDqtPHkW+6RRmDUV3sFLMjVqL78yQcl2xNqPQ ACkQ==
X-Gm-Message-State: ALyK8tKGu0XEHaiDv2hsYsfOmut/+vEVlEnRqx1CMZsjCCNqNR4kCMfbJj2t5X2z/fLm5QdgC0ZH70hxMQRr0g==
X-Received: by 10.159.54.193 with SMTP id p59mr9992609uap.144.1467385288240; Fri, 01 Jul 2016 08:01:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.86.212 with HTTP; Fri, 1 Jul 2016 08:01:27 -0700 (PDT)
In-Reply-To: <20160701153304.332d2c95@pc1>
References: <20160701153304.332d2c95@pc1>
From: Thijs van Dijk <schnabbel@inurbanus.nl>
Date: Fri, 1 Jul 2016 17:01:27 +0200
Message-ID: <CADGaDpH4T1aF8zo5GJGYkDtQjJ64p-i_9fksZ6zQnNwU3U-E=g@mail.gmail.com>
To: =?UTF-8?Q?Hanno_B=C3=B6ck?= <hanno@hboeck.de>
Content-Type: multipart/alternative; boundary=94eb2c0494e8dacdc30536944290
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UXz4jT-3zMFzDmOXT2qShyZrzLc>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2016 15:01:33 -0000

Hanno,

This is not a crazy idea at all.
I would welcome and applaud this effort.

It's an idea I've been mulling over as well; in fact I'd envisioned taking
it one step further and introducing a new (v5?) key format that can
transparently embed an X.509 certificate.
This way, key signatures as we in the PGP universe know them can work their
way into the X.509 world, as a way for a "corporate entity" (for lack of a
better word") to endorse an individual, or the other way around. This may
have profound implications for the way we anchor trust in, for instance,
TLS, as individuals can certify e.g. *"I've verified that this certificate
is valid for HTTPS connections to this site"* or even *"I've inspected the
operation of this CA and know them to have their act together"*.
The main things separating the above fantasy from reality are the fact that
   a) this would be hugely impractical *even if* the entire world would use
PGP, and
   b) the entire world does not use PGP.


Having said that, I would still consider unifying PGP and S/MIME a very
worthy direction for 4880bis to take, even if it isn't a prelude to the
above "web of trust ALL the things" daydream.

--
Thijs van Dijk

6A94 F9A2 DFE5 40E3 067E  C282 2AFE 9EFA 718B 6165


On 1 July 2016 at 15:33, Hanno Böck <hanno@hboeck.de> wrote:

> Hi,
>
> Maybe this is a crazy idea, but I wanted to throw it into the
> discussion.
>
> IMHO a big problem with e-mail encryption is that there are two
> competing "official" standards: OpenPGP and S/MIME. Both are RFCs, so
> both have a kinda "official" IETF approval.
> I think it was a big mistake to create two competing standards in the
> first place, but that was back in the 90s. So we may ask if we want to
> live forever with this situation or if it can be fixed.
>
> One of the most common explanations for the two standards I hear
> is that S/MIME is the solution for business communications while
> OpenPGP is more for private users. This never made a lot of sense to
> me, because there are plenty of situations where "business" people may
> have to communicate with "private" people. And the requirements aren't
> any different. E-Mail encryption is supposed to ensure that no
> unauthorized people can read or manipulate your mail, that doesn't
> change whether you're using E-Mail for private or business
> communication. So essentially I think there is no rational case for
> competing standards.
>
> So the question is: Instead of making RFC4880bis a "new OpenPGP
> standard", could it instead be a successor of both OpenPGP and S/MIME?
> Maybe it needs a new name, maybe not. There seems to be an smime working
> group and there is still some activity, although the last RFC was
> published in 2009. Things would obivously have to be coordinated so
> that there is wide acceptance of the new standard.
>
> Technically it would probably mean to create a compatibility layer to
> be able to use both X.509 certificates and PGP keys to encrypt. But
> that shouldn't be too hard, as the keys itself are just numbers, the
> major difference is just the storage format.
>
> Maybe this is a crazy idea, but maybe this could also be a chance to
> fix one of the biggest mistakes in email encryption.
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno@hboeck.de
> GPG: BBB51E42
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>
>