Hanno,
This is not a crazy idea at all.
I would welcome and applaud this effort.
It's an idea I've been mulling over as well; in fact I'd envisioned taking
it one step further and introducing a new (v5?) key format that can
transparently embed an X.509 certificate.
This way, key signatures as we in the PGP universe know them can work their
way into the X.509 world, as a way for a "corporate entity" (for lack of a
better word") to endorse an individual, or the other way around. This may
have profound implications for the way we anchor trust in, for instance,
TLS, as individuals can certify e.g. *"I've verified that this certificate
is valid for HTTPS connections to this site"* or even *"I've inspected the
operation of this CA and know them to have their act together"*.
The main things separating the above fantasy from reality are the fact that
a) this would be hugely impractical *even if* the entire world would use
PGP, and
b) the entire world does not use PGP.
Having said that, I would still consider unifying PGP and S/MIME a very
worthy direction for 4880bis to take, even if it isn't a prelude to the
above "web of trust ALL the things" daydream.
--
Thijs van Dijk
6A94 F9A2 DFE5 40E3 067E C282 2AFE 9EFA 718B 6165
On 1 July 2016 at 15:33, Hanno Böck <hanno(_at_)hboeck(_dot_)de> wrote:
Hi,
Maybe this is a crazy idea, but I wanted to throw it into the
discussion.
IMHO a big problem with e-mail encryption is that there are two
competing "official" standards: OpenPGP and S/MIME. Both are RFCs, so
both have a kinda "official" IETF approval.
I think it was a big mistake to create two competing standards in the
first place, but that was back in the 90s. So we may ask if we want to
live forever with this situation or if it can be fixed.
One of the most common explanations for the two standards I hear
is that S/MIME is the solution for business communications while
OpenPGP is more for private users. This never made a lot of sense to
me, because there are plenty of situations where "business" people may
have to communicate with "private" people. And the requirements aren't
any different. E-Mail encryption is supposed to ensure that no
unauthorized people can read or manipulate your mail, that doesn't
change whether you're using E-Mail for private or business
communication. So essentially I think there is no rational case for
competing standards.
So the question is: Instead of making RFC4880bis a "new OpenPGP
standard", could it instead be a successor of both OpenPGP and S/MIME?
Maybe it needs a new name, maybe not. There seems to be an smime working
group and there is still some activity, although the last RFC was
published in 2009. Things would obivously have to be coordinated so
that there is wide acceptance of the new standard.
Technically it would probably mean to create a compatibility layer to
be able to use both X.509 certificates and PGP keys to encrypt. But
that shouldn't be too hard, as the keys itself are just numbers, the
major difference is just the storage format.
Maybe this is a crazy idea, but maybe this could also be a chance to
fix one of the biggest mistakes in email encryption.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno(_at_)hboeck(_dot_)de
GPG: BBB51E42
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp