IETF Logo Mail Archive

Re: [openpgp] OpenPGP private certification [was: Re: Manifesto - who is the new OpenPGP for?]

ianG <iang@iang.org> Fri, 10 April 2015 17:06 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 911D11B29C3 for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 10:06:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uA0VSE68dujX for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 10:06:02 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4BFC1B29C7 for <openpgp@ietf.org>; Fri, 10 Apr 2015 10:05:59 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 947456D78D; Fri, 10 Apr 2015 13:05:58 -0400 (EDT)
Message-ID: <552802F5.5030501@iang.org>
Date: Fri, 10 Apr 2015 18:05:57 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com> <1426721882.4249.72.camel@scientia.net> <5510578A.80304@iang.org> <1427140788.10191.75.camel@scientia.net> <5510B7CF.8060308@iang.org> <1427168189.10191.241.camel@scientia.net> <5511FE82.6010807@iang.org> <1427243451.10191.375.camel@scientia.net> <5512F137.80702@iang.org> <CAHBU6isgirHnx+gHP+OiHuvhzD+1OTCShCHEkhWcqEmUn9qnzQ@mail.gmail.com> <CAMm+LwiXKf1DvgbHaZoJnKdCVbak-jderv6Z8KDs9xPEbUuYQQ@mail.gmail.com> <1427343948.23692.14.camel@scientia.net> <CAMm+Lwi5bVTujuazTXw7oRty7n5RtsObEfNrJzmbtPiOb-X25g@mail.gmail.com> <m27fu3fsom.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CAMm+LwjBuZfP4NwRCy23_d9eRtcfUiLKdyZOu+jYT72HfB0g9g@mail.gmail.com> <87vbhlt8tg.fsf@alice.fifthhorseman.net> <CAMm+Lwjo5eyCHNahqWcwUBoaevCw2s3WAeq-2=maW=JEpCFWxA@mail.gmail.com> <sjmvbheioxv.fsf@securerf.ihtfp.org> <CAMm+Lwi4zsnQoX0R0CRbmDceLKi8B3ipHnBvSqNgo8FA8UYh3w@mail.gmail.com>
In-Reply-To: <CAMm+Lwi4zsnQoX0R0CRbmDceLKi8B3ipHnBvSqNgo8FA8UYh3w@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/XWWXRyVkmP5WeUEjhT46vKlzWqc>
Subject: Re: [openpgp] OpenPGP private certification [was: Re: Manifesto - who is the new OpenPGP for?]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 17:06:08 -0000

On 2/04/2015 17:09 pm, Phillip Hallam-Baker wrote:
> On Thu, Apr 2, 2015 at 10:29 AM, Derek Atkins <derek@ihtfp.com> wrote:
>>  From a usability perspective this is the model I would want to see.  I
>> honestly don't care if the actual messages are CMS or 4880 (although I
>> have a large disdain for all things ASN1).
>
> I hate ASN1 just as much as the next guy.
>
> I do not care what format the messages are in. All I care about is who
> we can reach with them.
>
> There are a billion+ clients in existence with S/MIME built in. Every
> email client has to implement TLS these days to secure POP/IMAP/SUBMIT
> communications and CMS comes with practically every TLS library.
>
> If there is a message formatting option that lets us reach those
> billion+ clients with an OpenPGP message without compromising the
> trust model or anything else then lets take it.


Personally I think this is the wrong blockage.  Yes, I recognise that 
the existence of that code inside those 1bn+ clients is potentially 
valuable.

But in practice it is not the key blockage, not even close to being a 
relevant issue.

IMHO the key blockage is politics / commercial control within the 
vendors over the "trust model".  In order to get those clients to open 
up, Mozo and Microsoft need to be incentivised to go in a different 
direction.

In practice this is a much bigger barrier.  As a historical observation, 
there is always a steady queue of hopefuls asking Mozilla to implement 
TOFU & pinning trust models within x.509 products for which *all the 
code is present* but they won't go there.  These hopefuls have all gone 
off depressed and angry, mostly because they never understood that 
Mozilla is a commercial project at that level, and has bought into the 
CA model 100%.

It is for this reason I'm actually very happy that Yahoo and Google are 
doing e2e pgp in their web mail stuff.  The fact that we all know the 
'hushmail' attack is .. unimportant in the scheme of things.  What's 
important is deployment, not perfection in security models.



(all very much IMO, YMMV)

iang

v2.23.0 | Report a Bug | By Email