ietf-openpgp
[Top] [All Lists]

Re: [openpgp] OpenPGP private certification [was: Re: Manifesto - who is the new OpenPGP for?]

2015-04-10 12:06:20
On 2/04/2015 17:09 pm, Phillip Hallam-Baker wrote:
On Thu, Apr 2, 2015 at 10:29 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com> 
wrote:
 From a usability perspective this is the model I would want to see.  I
honestly don't care if the actual messages are CMS or 4880 (although I
have a large disdain for all things ASN1).

I hate ASN1 just as much as the next guy.

I do not care what format the messages are in. All I care about is who
we can reach with them.

There are a billion+ clients in existence with S/MIME built in. Every
email client has to implement TLS these days to secure POP/IMAP/SUBMIT
communications and CMS comes with practically every TLS library.

If there is a message formatting option that lets us reach those
billion+ clients with an OpenPGP message without compromising the
trust model or anything else then lets take it.


Personally I think this is the wrong blockage. Yes, I recognise that the existence of that code inside those 1bn+ clients is potentially valuable.

But in practice it is not the key blockage, not even close to being a relevant issue.

IMHO the key blockage is politics / commercial control within the vendors over the "trust model". In order to get those clients to open up, Mozo and Microsoft need to be incentivised to go in a different direction.

In practice this is a much bigger barrier. As a historical observation, there is always a steady queue of hopefuls asking Mozilla to implement TOFU & pinning trust models within x.509 products for which *all the code is present* but they won't go there. These hopefuls have all gone off depressed and angry, mostly because they never understood that Mozilla is a commercial project at that level, and has bought into the CA model 100%.

It is for this reason I'm actually very happy that Yahoo and Google are doing e2e pgp in their web mail stuff. The fact that we all know the 'hushmail' attack is .. unimportant in the scheme of things. What's important is deployment, not perfection in security models.



(all very much IMO, YMMV)

iang

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>