Michael, I think we are looking for different things.
I'm looking for a system that offers authenticated and confidential messaging which would among things include mobile phone voice messaging. If such system would require users to trust certificates and stuff, it will fail. Our current only alternative is the trusted provider concept. I'm interested in making the trusted provider something else than Vodafone; which could be your employer or Google, and for the really paranoid a server you run yourself. It seems that Eddy's Jabber system is an even ligher alternative because it doesn't seem to require end-users "trusting" anything than their provider. Anders ----- Original Message ----- From: "Michael Ströder" <[EMAIL PROTECTED]> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Tuesday, November 25, 2008 21:52 Subject: Re: Creating a Global User-level CA/Trust Infrastructure forSecureMessaging Anders Rundgren wrote: > I want each organization/domain entity that can afford an SSL certificate to > become a virtual CA and run their own secure messaging center. Based on > the SSL certificate they can use whatever issuance policies they feel > comfortable > with as long as they keep inside of their "PKI sandbox" which is (by the not > yet defined application), constrained regarding subject naming-schemes. > > This is BTW, how I believe secure e-mail should have been from the beginning; > secured at the domain-level. Anders, that's not the real problem with S/MIME or PGP. Encrypting/signing is simply not a business requirement. One of my customers has a special CA for issuing S/MIME certs to its own internal end users. The end users are always surprised how easy they can get a S/MIME cert within a minute. But the external partners are not obliged to encrypt e-mail and they are not willing to do the necessary work on their side. I already tried this 10 years ago with a PKI which would have issued certs to external partners. They were not willing to do their part even if made fairly simple. => Encrypting/signing must be made a business requirement in contracts. That's the whole point. And there's no technical solution for it. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
