Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 06 July 2016 22:12 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A9212D0E9 for <openpgp@ietfa.amsl.com>; Wed, 6 Jul 2016 15:12:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7JdX6qptjEwY for <openpgp@ietfa.amsl.com>; Wed, 6 Jul 2016 15:12:27 -0700 (PDT)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C806D12D0A2 for <openpgp@ietf.org>; Wed, 6 Jul 2016 15:12:26 -0700 (PDT)
Received: by mail-qt0-x233.google.com with SMTP id m2so93083qtd.1 for <openpgp@ietf.org>; Wed, 06 Jul 2016 15:12:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=yMIZPyJ7rU8JsxGfkeitVC6fT30Nw0rQY3B2djvRdow=; b=tGZYepzpAm/h2Q/WUgEF9Tm/6vT4FH1mgOqql5wUwxSzIbe9vbB4BBDSE/l5dWMRCh 3IPz97UX/FNLbTVJplX1x3lMgoBjv4Vk/rmaAQdrbQWhAZk4dX/PxnECwfqRvMHKbQeD z64sqUTijVgPgEPsOBFdeaDnIp7OtA0UqzJQNbZQC90eheebuUvulywp915zjtcRc8Gw fzzqRwv6zxXm5qjsl+YX+TDAi7/Qsf7j1wbCrYfJkSnojm2UlNle0sTYf7gbNGiQrQEo KHbOt0wpRbYkK4cJBPKpAnAxc6HKgB68IoPB9H9wsdR2pCn2Y3w4JT5b2kxiTOQCQf+i kgIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=yMIZPyJ7rU8JsxGfkeitVC6fT30Nw0rQY3B2djvRdow=; b=j4ZWpbBnMs+/jXkUnp0C/OVvwWEkrYrJTl4Sq+hp8obFq8JHWxIAqzZhPj6TSMzzG6 qLux5CewYNfVkY5CnpTFuit58gjN4lAsfhWMPHVzx+WSO8xdBGIfV1kJUqU+ksvLessy 0oi4zrVaEeqxcwwubZRJyX5JYHalro38hCOvIyutYiAytsnNI9M4zi7DSJuQyDyXZugl E1CnZuqXHOBvKENggZacMPHb6WGwOkhl5plNCl1LmfdPJmNy9k+Ye+91tBujzseqIpMh 4GMXm0C4LLxXCqwpuqbayq/k7PYPyPcft8q+PkHKosUQhN2b+ZPwKEAhzSaMY64U3Ed0 BLXg==
X-Gm-Message-State: ALyK8tLfx+soHm8o39Ta5hmnOqswKZLI+F6VjWOhrIJCuTvvIBgG4ef+eAZbNfqbEWyRvwK63tyh6WLWfOx6ww==
X-Received: by 10.200.50.237 with SMTP id a42mr39603659qtb.80.1467843145949; Wed, 06 Jul 2016 15:12:25 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.55.16.106 with HTTP; Wed, 6 Jul 2016 15:12:25 -0700 (PDT)
In-Reply-To: <sjmwpkyq0bd.fsf@securerf.ihtfp.org>
References: <20160701153304.332d2c95@pc1> <874m86xq04.fsf@alice.fifthhorseman.net> <9A043F3CF02CD34C8E74AC1594475C73F4CB97D2@uxcn10-5.UoA.auckland.ac.nz> <5779E086.9000506@brainhub.org> <BAB41369-E007-4342-8E89-1F023EA851E1@icloud.com> <CAMm+Lwj5F3x4pqGQ2DjDxAqGxsoiBSqK5ToFi-A-nouNDPeH_A@mail.gmail.com> <sjmwpkyq0bd.fsf@securerf.ihtfp.org>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 6 Jul 2016 18:12:25 -0400
X-Google-Sender-Auth: GO533oduMwkHr0z6K8q_BgMNYyU
Message-ID: <CAMm+Lwg1nsWXPo3VzDs-nLo0ChYSr0RiTyZUR4JvL_yd88ZWsQ@mail.gmail.com>
To: Derek Atkins <derek@ihtfp.com>
Content-Type: multipart/alternative; boundary=001a113f4e464cea060536fedd13
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/kFDRx1uPfiVLB2VuZPHPoyLEaLQ>
Cc: IETF OpenPGP <openpgp@ietf.org>, Jon Callas <joncallas@icloud.com>
Subject: Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 22:12:29 -0000

On Wed, Jul 6, 2016 at 10:59 AM, Derek Atkins <derek@ihtfp.com> wrote:

> Phillip Hallam-Baker <phill@hallambaker.com> writes:
>
> >     There's how you issue certificates (the whole CA/introducer
> issue(s)),
> >     whether certs contain one key or key sets, how they are transported
> (S/
> >     MIME puts them in the message, OpenPGP in directories etc.), and
> even the
> >     role of the internal layering. Note that OpenPGP is a binary (and
> UTF-8 is
> >     still binary) object protocol with a drizzling of MIME-encoding
> frosting
> >     over the top. That frosting is subject to its own interpretations.
> S/MIME
> >     in contrast *starts* with the email and MIME object and underneath
> there's
> >     CMS, usually almost as an afterthought. (Did you have a momentary
> "huh?"
> >     in your head when you read CMS? Many people do, and that's the
> point.) S/
> >     MIME starts at the top, OpenPGP starts at the bottom.
> >
> >     And oh, there are also other things that have to be re-hashed like
> ASN.1
> >     all over again and the things it drags along like encoding rules.
> This is
> >     a good deal why perhaps its better to just push the other things up
> into
> >     software. The reason that there are the two standards is that they
> address
> >     different views of the world, technical as well as political.
> >
> > ​Two views of the world that are rather absolutist and thus wrong. Some
> parts
> > of the world are hierarchical, others are not. A trust infrastructure
> needs to
> > support both. But it isn't clear such infrastructure is best implemented
> > inside a client.
>
> OpenPGP can support hierarchical certificate deployments just fine (my
> company is building one) as well as the Web of Trust model.  X.509
> cannot support a Web of Trust deployment, period.
>
> So there is a clear winner here.


​
You can in fact make X.509 do Web of trust. You simply give each user their
own CA root and cross certify.

I was doing that for quite a while till I realized that the legacy stuff
was hurting rather than helping. Yes you can get the protocols to do more
than the apps let them. But you don't have the advantage of legacy platform
support or legacy platform ignoring your stuff in a predictable way.