North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: PGP kerserver infrastructure

  • From: Roeland M.J. Meyer
  • Date: Fri Jun 30 17:31:22 2000

> From: L. Sassaman [mailto:[email protected]]
> Sent: Friday, June 30, 2000 12:49 PM

> On Fri, 30 Jun 2000 [email protected] wrote:

> X.509 is definately better suited for certain situations,
> especially where
> certificate chaining is required. I cannot, however, envision
that the
> X.509/-slash-S/MIME standards will ever become more popular for
email
> usage. They are just too anti-user.

I hope you don't mind if I disagree. The way Outlook 2K works
with certs and other SSL items is almost painless. Note that this
message is generated with Outlook. To consider Outlook anti-user
(different from anti-consumer) is indeed myopic.

ALso, Yes, EudoraPro is the superior MUA and it doesn't do X.509
easily, however it also doesn't do calendar, tasks, and other
workgroup stuff, which is the reason that I reluctantly switched
from there. Corporate America does Outlook, Lotus Domino, or some
other WG aware package. Those that do not are out-of-the-loop.

I will concede the issue of making other mailers S/MIME capable
may be a PITA. But I conceded that point at the start. The
bottom-line is that every eCommerce site must have these certs to
do SSL. This drives the build-out of the X.509 PKI. PGP has no
such incentive. Also, I must use different keys for client-side
web-certs than for client email. .. NOT gonna happen for long.

If you take the above two points significantly (and you don't
have to), they spell out a strong favor to X.509. Yes, this is
not a technical argument. However, I still think it is valid. The
world is headed towards X.509 for reasons having nothing to do
with technical merits, other than that it works sufficiently
well. That point may be arguable, but what is not arguable is
that X.509 certs are not going away anytime soon. They are just
too useful and all SSL sites are dependent on them. My question
is, why have two disparate systems? Further, why re-invent the
PKI wheel? Much of what you say WRT OpenCA, is easily countered.
Besides, there are commercial CAs available already. Or is it
that you are trying to say that PGP PKI is as developed as SSL
PKI? Is is only a "Simple Matter of Programming?" I don't think
that states the issues well at all.

BTW, as I said earlier, it is NOT a matter of right/wrong. It is
a relative value issue. Both are right, both work sufficiently,
PGP PKI would take more development work. Why do you have to make
this a bi-polar situation?