Automatic key verification / CERT in DNS / RFC4398

Harakiri harakiri_23 at yahoo.com
Thu Apr 6 17:27:36 CEST 2006


> The problem with S/MIME is that you can't create a
> usabable
> certificate for yourself.  You have to hand over a
> lot of money to
> a more or less trustworthy CA with no real benefit. 
> OpenPGP may be used
> much easier in that respect.

This is untrue, actually you get class 1 certificates
for free from TC Hamburg, Thawte or even Verisign
which are trusted in Outlook, Outlook Express,
Mozilla, Lotus Notes - heck almost any mail client !

OpenPGP however, has no defined rank of trust system -
its flawed in that way imho - there are some signer
keys - yes - but mostly only those made by
universities and not for commerical use (those im
aware are
https://www.globaltrustpoint.com/pgp/pgp_list_public_keys.jsp?keyType=trusted)

however openpgp is easy to use if you just want
end2end encryption which is good enough for the
average pc user and of course is by default not bound
to the certificate email address which is a big plus
for me

>
> I doubt that signing a message puts more load on a
> server than all the
> spam filtering and virus scanning in use today.


This is actually true, signing a message (average
size) has not much impact of the server - maximum i've
seen is for PGP 200% the normal processing and 150%
more for openssl (yes, gnupg seems to be slower here
=/) - figures based on 50000 mails in a few minutes

> > 	Doing client-side signing and verification is
> definitely 
> > scalable, but is difficult to get jump-started.

This is actually not right - because client side you
will always have the trouble to get all up to dates
CRLS, CAs, OCSP signer certs etc (im talking smime
here) and revoked keys for PGP. Do you want to update
every client every second to make sure the validation
is correct or just have *one* trusted server handle
the result which will take care of all CRLs, all CAs,
all OCSP Connections ?

> 
> Thus start with server-side signing using one key
> per domain.
> 
> > 	I don't think that's likely to happen any time
> soon.  The 
> > solutions which are easy to implement are
> non-scalable, and the 
> > scalable solutions are much more difficult to
> implement.
> 

I dont quiet get that point here, there is actually
enterprise gateways which use DNS lookups for
ceritifcate retrievale (x509) for over 4-5
years...nothing difficult when you only use 1 key
(domain/group key) for the domain - even then the DNS
entries can be expended for more users and there
should be no issue at all



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Gnupg-devel mailing list