[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Software for PKI

To: Ron.Ramsay@xxxxxx, pgut001@xxxxxxxxxxxxxxxxx
Subject: RE: Software for PKI
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 9 Nov 2001 19:24:20 +1300 (NZDT)
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Ramsay, Ron" <Ron.Ramsay@xxxxxx> writes:

>The aim of a PKI must surely be to prevent you from erroneously accepting a
>public key as belonging to a principal you wish to communicate with when it
>actually doesn't.

It depends.  If you can't *get* a key then it doesn't matter whether it's
certified, authenticated, authorised, etc etc up the wazoo.  The primary aim of
a PKI is therefore to get you a key.  After that, you can look at verifying it.
(It's like water in a desert, your primary goal is to find the stuff, after
that you can decide whether you want to drink it or not.  If you can't find it
in the first place it doesn't matter whether it's clean or not).

What PGP gives you is a means of getting a key (go to any PGP keyserver, enter
the victim's name or email address, grab the key).  That at least gives you
probable security, in the sense that it's the real thing with a high
probability.  I wouldn't even know where to start doing the same thing with
X.509, because I have no idea where to look for a key.  The result is highly-
probable email security vs no email security.  I'll take the highly-probable
option, thanks.

(The effective security or lack thereof of a PGP WoT key vs a Verisign free
 email cert can be argued elsewhere.  Cream pies will be provided).

Peter.

Prev by Date: RE: Software for PKI
Next by Date: DNSSEC (RE: Software for PKI)
Previous by thread: RE: Software for PKI
Next by thread: Re: Software for PKI
Index(es):
- Date
- Thread