Stefan,
The most important thing in ANY cryptographic system is KEY MANAGEMENT. In
a PKI, the key management agent is the Certificate Authority (CA).
You might want to bring up the issue of Trust Models. There are essentially
three models supported in the market today: Web of Trust (sometimes called
Key-Ring Trust), In-Sourced Trust, and Outsourced Trust.
There are different levels of trust (and risk) associated with products
that support these different models. In the case of PGP (as I know it),
there is no central key management agent. All keys are generated on the fly
and passed around informally. There is no independent agent that verifies
the integrity of users and associated certificates (i.e. cryptographic
keys). This method works okay in the case of a small number of users who
share PGP keys in a literal handshake (or trust their being passed via
email); but the integrity of the system breaks down quickly as keys are
passed from one user to the next.
An In-Sourced Trust Model basically means the key management function is
implemented and managed by some trusted entity within some closed community
(a corporation, for example). An example here would be Entrust.
An Out-Sourced Trust Model means key management is literally outsourced to
a 3rd party, like Verisign.
Which trust model your organization chooses to rely on for key management
should, in no small measure, dictate the PKI product to implement.
Regards,
Bill Henry
-----Original Message-----
From: Stefan_Salzmann/HAM/Lotus(_at_)lotus(_dot_)com
[SMTP:Stefan_Salzmann/HAM/Lotus(_at_)lotus(_dot_)com]
Sent: Thursday, November 05, 1998 4:55 AM
To: em(_at_)who(_dot_)net
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: Some comments on SMIME versus PGP
Our customer (a german bank) uses lotus notes. We are implementing an
smime
plugin right now. A couple days ago some representatives have been at a
general
german bank conference. At that conference they discussed with other banks
secure email implementations. At the conference many banks argumented pro
PGP
and said that PGP would be better than SMIME. Because our customer doesn´t
want
to swim against the stream it now tryes to do some convincing work pro
SMIME.
Therefore I was looking for the difference between SMIME and PGP.
Your urls helped in the way that they provide a relyable source for
statements
pro and against one of those two methods. As well I was struggling to much
in
detailed differences. I missed the big picture or better to say I didn´t
have
some relyable sources for confirming my thoughts.
In my opinion (as far as I have red), SMIME will become the major standard
because of its compliance with PKI components and the support of major
standards
as X.509v3 and PKCS (which isn´t a standard but adopted mainly). As well I
believe the incompatibility between SMIME and PGP will work against PGP.
Would you agree on that?
"Enzo Michelangeli" <em(_at_)who(_dot_)net> on 05.11.98 09:59:36
To: Stefan Salzmann/HAM/Lotus(_at_)LOTUSINT
cc:
Subject: Re: The URLs you gave me are fantastic, its exactly what I
need!!
Thanks once again <eom>
<< File: ATT08586.txt >>