PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing)

Leo Bicknell bicknell at ufp.org
Fri Feb 10 18:01:06 UTC 2012


In a message written on Fri, Feb 10, 2012 at 06:46:43PM +0100, Jeroen Massar wrote:
> The problem still lies in the issue that most people, even on this very
> list, do not use PGP or S/MIME. (and that there are two standards does
> not help much there either ;)

The problem space is still certificate management.

I bet (nearly) everyone on the list uses an e-mail client that can
decode S/MIME.  mutt, pine, Outlook, OSX Mail, gmail, they all do
it.  We all have browsers that do SSL.

OSX at least has a central certificate store (Keychain), although
it's not up to the tasks of the world I wish to have.  Other OS's
provide no central store, so each application maintains their own
key store.  We have a very real problem of pre-loading the key
store, for instance root certificate trust for X.509 certificates.

We need a central certificate store on every platform, easy, secure ways
to transfer/sync it (to say, moble devices), and a bit of UI goo.
Imagine a capability as simple as being able to add a description to a
cert in your key store.  I should be able to download my bank's cert,
verify it (call and check finger print, check a trusted third party,
web of trust, probably multiple ways, automated, would be best) and then
tag it "Leo's Bank".

When I get e-mail from it, or go to it with my web browser it should now
say "Leo's Bank" in all of my software, telling me not only do I have
the little padlock, but it's the certificate I personally validated.

When I click on a link in e-mail it should pass the URL AND KEY to
the next program (e.g. my browser).  My browser can then silently
load if they are the same, or give me a big pop up "The person who
sent this e-mail is different from the person who runs this web
site."

It's all UI.  No new technology, protocols, encryption formats or other
things are needed.  It's making end user software act in a responsible
way.

Of course I'd also prefer my bank allowed me to provide my certificate
to them, and they crypto authenticated me (perhaps in addition to
passwords and pins).  This should all be two-way.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120210/de56882a/attachment.sig>


More information about the NANOG mailing list