North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: PGP kerserver infrastructure

  • From: Roeland M.J. Meyer
  • Date: Sat Jul 01 11:39:49 2000

> L. Sassaman
> Sent: Saturday, July 01, 2000 2:58 AM
>
> On Fri, 30 Jun 2000, Michael Helm wrote:
>
> > "L. Sassaman" writes:
> > > X.509 is a much older and cruftier standard. PGP is

> > I think is up to customers to decide.
>
> I think customers *have* decided. Where is PEM now?

PEM is being used on every ecommerce site site now, to implement
SSL. Where have you been? Show me a site being secured with PGP,
please. These same certs can, and are, used to protect email
content, it's called S/MIME. Please show where this doesn't work.

There is a working PKI for X.509 that operates at commercial
production levels. Further, third-party online auth, via TLS, is
also built into the system (PGP doesn't do that). It works and
lives now.

As far as customer acceptance goes, they don't want to deal with
two dfferent encryption systems when one will do the job. They
already are used to SSL via their ecommerce activity. Getting the
same type of encryption for their email reduces their pain. Ergo,
your statement doesn't float. Please provide evidence to the
contrary.

You should know that I've been trying to get PGP accepted for
years. I've given up. That dog won't hunt. Customers couldn't
grasp the difference between client-side SSL certs (SecureWebMail
[TM MHSC]) and PGP, for the exact same email over POP3. Everyone
of them demanded to be able to use the same cert for both. 2000
users out of 3500 all said the same thing here. This is from our
SecureWebMail beta, last year. This gets even worse when doing
SSL/POP3. Using a different cert (X.509) for the SSL auth and
encrypting the content (PGP) is both useless and stupid. It also
makes key management unbelieveably complex. Since I can't get PGP
to work with SSL and I CAN get X.509 to encrypt message content,
guess which drops out the door.

In case you haven't figured it out yet, it's an integration
issue, not strictly a technnical one.