Home page logo

nanog logo nanog mailing list archives

Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing)
From: Leo Bicknell <bicknell () ufp org>
Date: Fri, 10 Feb 2012 10:01:06 -0800

In a message written on Fri, Feb 10, 2012 at 06:46:43PM +0100, Jeroen Massar wrote:
The problem still lies in the issue that most people, even on this very
list, do not use PGP or S/MIME. (and that there are two standards does
not help much there either ;)

The problem space is still certificate management.

I bet (nearly) everyone on the list uses an e-mail client that can
decode S/MIME.  mutt, pine, Outlook, OSX Mail, gmail, they all do
it.  We all have browsers that do SSL.

OSX at least has a central certificate store (Keychain), although
it's not up to the tasks of the world I wish to have.  Other OS's
provide no central store, so each application maintains their own
key store.  We have a very real problem of pre-loading the key
store, for instance root certificate trust for X.509 certificates.

We need a central certificate store on every platform, easy, secure ways
to transfer/sync it (to say, moble devices), and a bit of UI goo.
Imagine a capability as simple as being able to add a description to a
cert in your key store.  I should be able to download my bank's cert,
verify it (call and check finger print, check a trusted third party,
web of trust, probably multiple ways, automated, would be best) and then
tag it "Leo's Bank".

When I get e-mail from it, or go to it with my web browser it should now
say "Leo's Bank" in all of my software, telling me not only do I have
the little padlock, but it's the certificate I personally validated.

When I click on a link in e-mail it should pass the URL AND KEY to
the next program (e.g. my browser).  My browser can then silently
load if they are the same, or give me a big pop up "The person who
sent this e-mail is different from the person who runs this web

It's all UI.  No new technology, protocols, encryption formats or other
things are needed.  It's making end user software act in a responsible

Of course I'd also prefer my bank allowed me to provide my certificate
to them, and they crypto authenticated me (perhaps in addition to
passwords and pins).  This should all be two-way.

       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]