On 22/7/09 17:03, Udo Puetz wrote:
On 21 Jul., 14:34, Eddy Nigg<eddy_n...@startcom.org> wrote:
Udo, that's all fine and understood. What are the improvements you think
should be made to Thunderbird (and/or Firefox) besides what you claim to
be a bug in TB? Is the bug the only thing which prevents hardware tokens
and certificates to become mainstream?
Hmm, here are my ideas:
-integrate enigmail into TB.
-When a user starts TB the first time, query gpg key servers for the
name the user specified. If name is found, ask if he wants to import
his (previous existing) keys. Else create a new one, with easy dialogs
and helpful error messages
-when the user writes to someone, query the gpg key servers to see if
the recipient has a key there and either query the sender if he wants
to encrypt or look up a "general setting" field if it should always be
done
Great ideas, but we've seen them before, and that ain't going to happen.
Sorry. For various reasons.
Here's how I see this progressing.
1. You will be told, "you have to do it," because the existing team is
too busy. "Don't criticise, code." Hell, you got told that above :)
The "reason" is true, but the causality is not. See 2.
2. Even if you do it, it will be rejected by the existing security
developer team of Mozilla. They first will tell you it is because that
approach is not standard, and Mozo follows standards. The "reason" in
this case is false, because OpenPGP is now an IETF draft standard. So,
see 3.
3. You'll still get massive resistance. That's because all of the
mozilla security code, security developers, most of the committees, and
the companies that pay for the developers, the CAs, etc etc are all
invested heavily in PKI. They've got othing invested in OpenPGP.
They've got every dime invested in selling certificates and selling
certificate oriented solutions.
What you are offering will rip the guts out of that business model, so
you won't get any support. In fact you'll be opposed, every step of the
way. Nobody wants to lose their jobs, and you're trying to take their
jobs away from them.
It's not personal, it's just how things are. Your exact same model can
be proposed for S/MIME, and I've proposed it and it's been rejected.
Anything that challenges the business model will be ignored, rejected,
fought, and ultimately sabotaged, because delivering easy certificates
reduces the business model.
I'm sorry to be truly skeptical, non-helpful, and bordering on hateful.
But I wasted years trying to understand why Mozilla isn't going to do
this. Don't you waste your years, you won't get them back.
-Integrate weave into TB. Can't the same keys be used there for
encryption of the config data?
-Use win key store on win. Both FF and TB. If a hw token is found ask
the user if he wants to utilize it.
-work together with gnome and kde folks, I just read that the work on
a common key infrastructure (http://www.golem.de/0907/68458.html,
sorry, german only)
-work together with opensc folks.
-generally: useful and correct error messages!!
How about these ideas?
Great ideas. Sorry about that.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
