Tuesday, December 13, 2005

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

Not to side track the discussion, but frequently I've heard PKI
compared to PGP's model. Isn't PGP's trust model the same as everyone
being their own CA?

I find PGP to be problematic. Many keys I see are only self-signed,
and this includes important keys like CERT. Many others sit unsigned
on the same website you access to download the source code protected
by it. And 90% of the time when they have more than one signature you
don't have a key that signed the other party's key, so you get to do a
breadth-first search manual-like (pathserver being dead and all).
Even with kgpg pulling the keys from a keyserver for you, it's still
non-trivial.

I successfully inspired a local keysigning, but it seems like most of
the people didn't see any immediate benefit, and so declined to
participate. "What does this mean for me" was a common question. I
tried to explain the purpose, but I suspect it is too recondite or too
far removed from their experience. Perhaps I'd have better luck by
stating what kind of attacks it would prevent (email spoofing being
relatively rare, save for some obvious spam tactics). I'm open to any
suggestions along these lines.

--
Travis H.

No comments: