ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] OpenPGP private certification

2015-04-08 13:05:33
from [Christoph Anton Mitterer] [Permanent Link] 
On Wed, 2015-04-08 at 10:15 -0400, Phillip Hallam-Baker wrote: 

Personally, I believe that owning your personal DNS name is as
important for security as having a keypair.

Why should it give you any security?


I have a huge part of my
brand invested in hallam(_at_)gmail(_dot_)com which I don't own. Which is why 
I
switched to phill(_at_)hallambaker(_dot_)com for ietf work. But I have yet to 
win
that argument.

It only gives you that some company cannot easily take away your mail
address, but OTOH it's probably an illusion to believe that your own
domain name protects you much more from this.

See cases like the German person called "Shell", who had shell.de and
guess who has it now.



I really don't like having ICANN as my root CA either. DNSSEC is a
monolithic, single rooted scheme which I don't consider very
trustworthy because of that.

Sure, it has similar problems like the X.509 PKI, just on a less extreme
scale.
But no one should try to impose a strict hierarchical trust model on
OpenPGP anyway. So I don't think it's a particularly good idea to
somehow combine OpenPGP with DNS/DNSSEC/DANE.

If at all that would mostly only interesting for securing TOFU like
systems at least a tiny bit - but OTOH, we shouldn't follow TOFU, it's
basically a big lie as I pointed out in a recent lengthy thread on one
of the gnupg mailing lists.



We do need trust hierarchies for key management. But each individual
should be the root of their personal hierarchy.

+1



I don't think anyone has signature validation done right today. All
signatures are broken unless they are enrolled in an append-only log.
To verify a signature, you need to go back in time to the point where
the signature was created and check the signature in that time
context.

I don't get the point here. At least it doesn't sound like anything in
the responsibility of the crypto system, rather something for higher
level programs.


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] OpenPGP private certification, Christoph Anton Mitterer
Next by Date:  Re: [openpgp] ways forward wrt IETF wg - please try answer by Apr 8th, Benjamin Kaduk
Previous by Thread:  Re: [openpgp] OpenPGP private certification, Phillip Hallam-Baker
Next by Thread:  Re: [openpgp] OpenPGP private certification, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]