The problem with S/MIME is that you can't create a
usabable
certificate for yourself. You have to hand over a
lot of money to
a more or less trustworthy CA with no real benefit.
OpenPGP may be used
much easier in that respect.
This is untrue, actually you get class 1 certificates
for free from TC Hamburg, Thawte or even Verisign
which are trusted in Outlook, Outlook Express,
Mozilla, Lotus Notes - heck almost any mail client !
OpenPGP however, has no defined rank of trust system -
its flawed in that way imho - there are some signer
keys - yes - but mostly only those made by
universities and not for commerical use (those im
aware are
https://www.globaltrustpoint.com/pgp/pgp_list_public_keys.jsp?keyType=trusted)
however openpgp is easy to use if you just want
end2end encryption which is good enough for the
average pc user and of course is by default not bound
to the certificate email address which is a big plus
for me
I doubt that signing a message puts more load on a
server than all the
spam filtering and virus scanning in use today.
This is actually true, signing a message (average
size) has not much impact of the server - maximum i've
seen is for PGP 200% the normal processing and 150%
more for openssl (yes, gnupg seems to be slower here
=/) - figures based on 50000 mails in a few minutes
Doing client-side signing and verification is
definitely
scalable, but is difficult to get jump-started.
This is actually not right - because client side you
will always have the trouble to get all up to dates
CRLS, CAs, OCSP signer certs etc (im talking smime
here) and revoked keys for PGP. Do you want to update
every client every second to make sure the validation
is correct or just have *one* trusted server handle
the result which will take care of all CRLs, all CAs,
all OCSP Connections ?
Thus start with server-side signing using one key
per domain.
I don't think that's likely to happen any time
soon. The
solutions which are easy to implement are
non-scalable, and the
scalable solutions are much more difficult to
implement.
I dont quiet get that point here, there is actually
enterprise gateways which use DNS lookups for
ceritifcate retrievale (x509) for over 4-5
years...nothing difficult when you only use 1 key
(domain/group key) for the domain - even then the DNS
entries can be expended for more users and there
should be no issue at all
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com