IETF Logo Mail Archive

Re: [openpgp] OpenPGP private certification [was: Re: Manifesto - who is the new OpenPGP for?]

Derek Atkins <derek@ihtfp.com> Thu, 02 April 2015 14:29 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0BFD1ACEB3 for <openpgp@ietfa.amsl.com>; Thu, 2 Apr 2015 07:29:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.411
X-Spam-Level: *
X-Spam-Status: No, score=1.411 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21Rg3fXB47zF for <openpgp@ietfa.amsl.com>; Thu, 2 Apr 2015 07:29:23 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33D0E1A9113 for <openpgp@ietf.org>; Thu, 2 Apr 2015 07:29:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id E0E97E2038; Thu, 2 Apr 2015 10:29:20 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 29457-09; Thu, 2 Apr 2015 10:29:18 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id E4226E2036; Thu, 2 Apr 2015 10:29:18 -0400 (EDT)
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t32ETHTs025844; Thu, 2 Apr 2015 10:29:17 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com> <1426721882.4249.72.camel@scientia.net> <5510578A.80304@iang.org> <1427140788.10191.75.camel@scientia.net> <5510B7CF.8060308@iang.org> <1427168189.10191.241.camel@scientia.net> <5511FE82.6010807@iang.org> <1427243451.10191.375.camel@scientia.net> <5512F137.80702@iang.org> <CAHBU6isgirHnx+gHP+OiHuvhzD+1OTCShCHEkhWcqEmUn9qnzQ@mail.gmail.com> <CAMm+LwiXKf1DvgbHaZoJnKdCVbak-jderv6Z8KDs9xPEbUuYQQ@mail.gmail.com> <1427343948.23692.14.camel@scientia.net> <CAMm+Lwi5bVTujuazTXw7oRty7n5RtsObEfNrJzmbtPiOb-X25g@mail.gmail.com> <m27fu3fsom.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CAMm+LwjBuZfP4NwRCy23_d9eRtcfUiLKdyZOu+jYT72HfB0g9g@mail.gmail.com> <87vbhlt8tg.fsf@alice.fifthhorseman.net> <CAMm+Lwjo5eyCHNahqWcwUBoaevCw2s3WAeq-2=maW=JEpCFWxA@mail.gmail.com>
Date: Thu, 02 Apr 2015 10:29:16 -0400
In-Reply-To: <CAMm+Lwjo5eyCHNahqWcwUBoaevCw2s3WAeq-2=maW=JEpCFWxA@mail.gmail.com> (Phillip Hallam-Baker's message of "Sat, 28 Mar 2015 15:24:38 -0400")
Message-ID: <sjmvbheioxv.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/u_1HDc0m70QJ517T0bzyjH1gx6s>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Brian Sniffen <bsniffen@akamai.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] OpenPGP private certification [was: Re: Manifesto - who is the new OpenPGP for?]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 14:29:24 -0000

Phillip Hallam-Baker <phill@hallambaker.com> writes:

> By that I mean fixed in time. I agree that it does not need to be
> public. Only the hash needs to be enrolled.

Unfortunately it doesn't matter.  As soon as you require any kind of
"enrollment" the system fails.  Period.  This was (and still is, IMHO)
the major issue with X509/SMIME -- My mother would need to jump through
hoops that she doesn't understand how to jump through in order to get
set up in the system.  I.e., the system doesn't work until the user gets
blessed by some CA.

This is IMHO the power of the OpenPGP model -- generate and go.  From a
UI/UX perspective the system asks for some information (which
technically it already has when you create your email account) and it
generates a key pair for you.  Maybe it uploads it to a keyserver (which
I suppose some could consider "enrollment", but it's a far cry from X509
enrollment requirement).

>From this point on the OpenPGP user can encrypt messages to other people
and get encrypted messages to them.  The can choose to get their key
signed by others (or not).  They could get it signed from their
enterprise (if they are in a corporate environment -- my mother
certainly is not).  But the key (pun intended) is that the system works
without any certifications.

>From a usability perspective this is the model I would want to see.  I
honestly don't care if the actual messages are CMS or 4880 (although I
have a large disdain for all things ASN1).

So please, for all things sacred, let's not require any kind of
"enrollment" for the system to operate.

Now, if we want to talk about enrollment for "key lookup" properties, of
(non-required) certifications, or anything like that ... I'm all ears.
But it should not be a pre-requisite for a user to get up and running.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email