>You have cut up my comment in a way that makes it look like I am
>saying something different from what I intended. I am not saying
>S/MIME as implemented in Outlook or Netscape is hard to use in
>general. On the contrary, I think it is a shame that secure e-mail
>clients are on most people's desktops and are not being used.
Sorry, but I don't see how else I could interpret it in the context
of S/MIME vs. PGP.
>What I am saying is that it is way to hard to initially establish a
>secure link between two individuals who know each other. That is the
>most common need for individual users.
OK, you need to use a program called MAKECERT.EXE that comes with
Office 2000. This creates a self signed cert. The two users can then
exchange their certs and authenticate them out of band (by telephone
for example) if they really fear a man in the middle attack.
The hassle involved is pretty much identical to the hassle of PGP
keysigning and all that stuff.
I disagree that this is more work than applying for a Thawte
cert but then again I would wouldn't I being that I'm the big
brother CA and all that.
>It should not be
>much harder for two individuals to exchange keys than it is to get on
>each other's AOL buddy lists. The right tool for key exchange could
>make it that easy.
I agree and have made the same argument. The problem being that
bilateral key exchange is a considerably more risky process than
routing stuff through a CA.
The best solution to the problem would be to persuade ISPs to support
key generation and cert issue as a part of the whole sign up process.
Then it is quite easy to make the whole process completely transparent
to the user.
>At the moment, Thawte makes getting a cert harder than it needs to
>be. Go to www.thawte.com and you have to wade through three pages of
>gobbledygook before you even get to the registration page.
OK, try VeriSign :-)
The point is that there are now 30 odd companies (including mine)
that have made an industry out of X.509v3, PKIX, S/MIME and all
the rest. It is not just VeriSign that has based it's product line
on X.509v3, it is also Baltimore, Entrust, X-Cert, Valicert and
practically all the rest of the security specialists.
The PKI world is very different to what it was in 1990. There is now
a PKI infrastructure out there that works for non-trivial problems.
I was originally reacting to a post that appeared to be entirely
unaware of the changes that have taken place since PGP was released.
The point about PGP was never the code or the email message format,
it was a means of breaking a particular logjam. Phil Z. walked away
from the working group and cooked up his own solution that proved
that a less heavyweight approach was viable, the Gordian knot was cut.
Now I like most others in the industry are happy that Phil Z. cut
the knot but that does not mean that the people who stayed AT the
table had nothing to contribute, far from it. As I have said before,
X.509 was the thesis, PGP the antithesis and PKIX represents the
synthesis. The dilectic has lead to considerable improvements in
the PKIX design. Simply to dismiss it because its inventors were
not harassed by the FBI seems somewhat arbitrary.
Phill
smime.p7s
