ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

2016-07-06 17:12:35
On Wed, Jul 6, 2016 at 10:59 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com> 
wrote:

Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:

    There's how you issue certificates (the whole CA/introducer
issue(s)),
    whether certs contain one key or key sets, how they are transported
(S/
    MIME puts them in the message, OpenPGP in directories etc.), and
even the
    role of the internal layering. Note that OpenPGP is a binary (and
UTF-8 is
    still binary) object protocol with a drizzling of MIME-encoding
frosting
    over the top. That frosting is subject to its own interpretations.
S/MIME
    in contrast *starts* with the email and MIME object and underneath
there's
    CMS, usually almost as an afterthought. (Did you have a momentary
"huh?"
    in your head when you read CMS? Many people do, and that's the
point.) S/
    MIME starts at the top, OpenPGP starts at the bottom.

    And oh, there are also other things that have to be re-hashed like
ASN.1
    all over again and the things it drags along like encoding rules.
This is
    a good deal why perhaps its better to just push the other things up
into
    software. The reason that there are the two standards is that they
address
    different views of the world, technical as well as political.

​Two views of the world that are rather absolutist and thus wrong. Some
parts
of the world are hierarchical, others are not. A trust infrastructure
needs to
support both. But it isn't clear such infrastructure is best implemented
inside a client.

OpenPGP can support hierarchical certificate deployments just fine (my
company is building one) as well as the Web of Trust model.  X.509
cannot support a Web of Trust deployment, period.

So there is a clear winner here.


​
You can in fact make X.509 do Web of trust. You simply give each user their
own CA root and cross certify.

I was doing that for quite a while till I realized that the legacy stuff
was hurting rather than helping. Yes you can get the protocols to do more
than the apps let them. But you don't have the advantage of legacy platform
support or legacy platform ignoring your stuff in a predictable way.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp