long message (see conclusion at end if in a hurry)
PEM vs. PGP
===========
The issue is not |#PGP - #PEM|, where #x represent the number of
users in the "x" community. I guess I should have phrased the question
differently (originally "Is PGP really more widespread than PEM?")
The issue is that I see so little market use for either approach
that I am puzzled by the strong support of one over the other based
on market deploymet. The market size is statistically insignificant!
When I think of a "market", I think of:
1) All employees in a company, from a secretary to the CEO
2) All students in a school, from the Phys. Ed major to the
CS. graduate student in the computer lab
3) Ordinary citizens using their home PC
I think the market for PGP has been exclusively computer literate
researchers and engineers and some students and privacy advocates.
I also think this group will continue to advocate PGP over PEM for
obvious reason--it works for them better!
According to my definition of the market, only a small segment of the
market can use PEM or PGP. The actual difference between PEM and PGP
may be bigger than zero but it is epsilon when you consider the market
as a whole -- 98% of the people use neither PEM nor PGP (if not 99.9%).
And those who do, rarely do.
Frankly, I think PEM and PGP are similar in that you can create a PEM
hierarchical trust model using PGP, and you can similarly create a PGP
web of trust using the PEM model. This is an OVER SIMPLIFICATION, but
imagine designating your boss as the CA in your group (for the former)
and using self-signed certificates (for the latter). This ignores
obvious issues, but I fail to see why we have two camps so
religiously opposing each other on these two very similar technologies.
What both PEM and PGP users need is a good user interface. If e-mail
is the application of choice to add security to, then integrate PEM
or PGP to all mailers, but until you do that, I don't think you will
get a serious sized user base. The problem of integrating
is not just opening a dialog box to ask for password and a button to
encrypt. The key management must be transparent to the user as well.
I have a hard time being convinced that ordinary users (98% of the
Market) will understand how to maintain a PGP pub-key-ring file. I am
not saying that all current available PEM implementations have solved
this problem either.
WEB vs. (PEM/PGP)
=================
Even if the GUI is there, do people care for secure e-mail? Even I
rarely do! Electronic commerce is a better application because the
need for security is more obvious than in e-mail and hence people have
more incentives to make it secure. You can force the horse to the
water but you cannot force it to drink. Hopefully, with electronic
commerce, the horse is already thirsty! Well, hopefully it will be !-)
CONCLUSION
==========
For what it is worth, I see a more significant market force behind
secure e-commerce (WEB) than secure e-mail and I hope that we do it
right this time. As Bob said, "a much wider audience would gain a
painful education in reality" if we don't do it right this time. I
think concentrating on the details of differences in PEM/MIME-PEM/PGP
will cause us to miss the boat--the real issues to address are GUIs
and transparent key management. I strongly believe PEM RFC 1422 is
the nearest to our solution (especially for e-commerce) than anything
else. (Well, I have not considered PKCS.) I think MIME-PEM (while a
good idea to have MIME) sets us back some and delays progress forward
with PEM. The current market for both PEM and PGP is insignificant to
justify arguing one over another based on it.
_______________________________________________________________________
Alireza Bahreman E-Mail:
bahreman(_at_)bellcore(_dot_)com
Bellcore, Room RRC-1K221 Phone : +1 908 699 7398
444 Hoes Lane, Piscataway, NJ 08854 Fax : +1 908 336 2943