In <003701bf84c2$d4fc4e50$[EMAIL PROTECTED]>, on 03/02/00
at 09:44 PM, "Phillip Hallam-Baker" <[EMAIL PROTECTED]> said:
>> Wait a minute. If I remember correctly, *Thawte* does X.509 in PGP,
>> already, right?
>Shure does, the problem with the analysis many have been making is that
>it is 5 years out of date.
>X.509v1 had problems, the PEM system based on X.509v1 had worse problems.
>PGP represented the antithesis of PEM, presenting a usefull criticism.
>X.509v3 and the PKIX architecture are the synthesis of both sets of
>ideas.
>It is time to move on from the state of crypto in 1992 when PGP first
>surfaced. It is NOT the most widely used email security solution by the
>way. Lotus Notes has held that position for many years. Today the 60
>million S/MIME clients define the standard (Notes R5, Microsoft,
>Netscape...).
This is pure FUD worthy of Sternlight himself (as a matter of fact he has
been using this false argument for years). There may we be more than 60
million S/MIME clients out there if you count every copy of OutLook &
Netscape but of how many are actually being used for e-mail? I would have
to say that it is a very small percentage of the entire installation base.
Now out of those who are using these clients for e-mail an even smaller
percentage are making use of the S/MIME protocols. +60 million
installations != 60 million S/MIME users.
This does not even address the millions of S/MIME clients out there that
only provide a substandard level of encryption to it's users. Export
versions of S/MIME clients are BAD (Broken As Designed).
Almost every S/MIME client is closed source. The applications are closed
source & the crypto libs are closed source. None of them have been tested
nor peer-reviewed. Both Microsoft & Netscape (IMHO) have been criminally
negligent when it comes to the security of their products. Even if they
have not put in back doors for their own use and the use of others, their
sheer incompetence in the field of data security makes the use of their
products unrecommended.
S/MIME is a standard but it is not *the* standard for e-mail encryption &
digital signatures.
--
---------------------------------------------------------------
William H. Geiger III http://www.openpgp.net
Geiger Consulting
Data Security & Cryptology Consulting
Programming, Networking, Analysis
PGP for OS/2: http://www.openpgp.net/pgp.html
---------------------------------------------------------------
