Thursday, December 08, 2005

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

According to Ed:
> To help develop a common yardstick, I would like feedback (also by
> private email) on a list of desirable secure email features as well
> as a list of attacks or problems, with a corresponding score card for
> the secure email technologies X.509 / PKI, PGP and IBE. The paper
> is at

Nice paper. I don't had time to look at it in detail, but here a
few minor comments ...

I think it would be better to have different tables for
attacks vs. problems. For example "must pre-enroll rcpts" may
be an "unwanted feature", but it really something different
compared to an attack, i.e., a problem leading to an attacks
such as "open message headers".

Further, I'm not sure about the general categories you have.
"PKI" is a very broad term. PGP and it's web-of-trust is
also some kind of PKI and of course I could build a closed/private
PKI using OpenPGP keys.

It may be easier to compare the different technologies if
you compare the message format (e.g., S/MIME vs. PGP/MIME)
independent from the rest of the system, i.e., from the PKI.
As "PKI technologies" I would think of X.509-based PKIs (PKIX),
vs. IBE-based vs. OpenPGP-based ...
An attack against "open message headers" is not related to
a system using X.509 certs or OpenPGP keys, but it just
a matter of the message format being used, e.g., S/MIME.
If I remember correctly most IBE-based system also use
S/MIME or at least something derived from it like the Voltage
IBE product.
And an attack related to how key revocation is handled is
unrelated to a system using S/MIME or PGP/MIME.

BTW, have you considered adding the Ciphire system to your
comparison (

Lars Eilebrecht

No comments: