Michael,

I think we are looking for different things.

I'm looking for a system that offers authenticated and confidential
messaging which would among things include mobile phone voice messaging.
If such system would require users to trust certificates and stuff, it will 
fail.

Our current only alternative is the trusted provider concept.  I'm interested
in making the trusted provider something else than Vodafone; which could
be your employer or Google, and for the really paranoid a server you run
yourself.

It seems that Eddy's Jabber system is an even ligher alternative because
it doesn't seem to require end-users "trusting" anything than their provider.

Anders

----- Original Message ----- 
From: "Michael Ströder" <[EMAIL PROTECTED]>
Newsgroups: mozilla.dev.tech.crypto
To: <dev-tech-crypto@lists.mozilla.org>
Sent: Tuesday, November 25, 2008 21:52
Subject: Re: Creating a Global User-level CA/Trust Infrastructure 
forSecureMessaging


Anders Rundgren wrote:
> I want each organization/domain entity that can afford an SSL certificate to
> become a virtual CA and run their own secure messaging center.  Based on
> the SSL certificate they can use whatever issuance policies they feel 
> comfortable
> with as long as they keep inside of their "PKI sandbox" which is (by the not
> yet defined application), constrained regarding subject naming-schemes.
>
> This is BTW, how I believe secure e-mail should have been from the beginning;
> secured at the domain-level.

Anders, that's not the real problem with S/MIME or PGP.
Encrypting/signing is simply not a business requirement.

One of my customers has a special CA for issuing S/MIME certs to its own
internal end users. The end users are always surprised how easy they can
get a S/MIME cert within a minute. But the external partners are not
obliged to encrypt e-mail and they are not willing to do the necessary
work on their side. I already tried this 10 years ago with a PKI which
would have issued certs to external partners. They were not willing to
do their part even if made fairly simple.

=> Encrypting/signing must be made a business requirement in contracts.
That's the whole point. And there's no technical solution for it.

Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto 

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to