Anders Rundgren wrote:
I think we are looking for different things.
I'm looking for a system that offers authenticated and confidential
messaging which would among things include mobile phone voice messaging.
But it's the very same problem.
If such system would require users to trust certificates and stuff, it will
fail.
Off course you can use untrusted keys but then you have the MITM issue
(as others already mentioned).
Our current only alternative is the trusted provider concept. I'm interested
in making the trusted provider something else than Vodafone; which could
be your employer or Google, and for the really paranoid a server you run
yourself.
As I wrote even if you have your domain-wide PKI the other end has to
also do the homework. If there's no real business requirement to do so
they will not.
Ciao, Michael.
----- Original Message -----
From: "Michael Ströder" <[EMAIL PROTECTED]>
Newsgroups: mozilla.dev.tech.crypto
To: <dev-tech-crypto@lists.mozilla.org>
Sent: Tuesday, November 25, 2008 21:52
Subject: Re: Creating a Global User-level CA/Trust Infrastructure
forSecureMessaging
Anders Rundgren wrote:
I want each organization/domain entity that can afford an SSL certificate to
become a virtual CA and run their own secure messaging center. Based on
the SSL certificate they can use whatever issuance policies they feel
comfortable
with as long as they keep inside of their "PKI sandbox" which is (by the not
yet defined application), constrained regarding subject naming-schemes.
This is BTW, how I believe secure e-mail should have been from the beginning;
secured at the domain-level.
Anders, that's not the real problem with S/MIME or PGP.
Encrypting/signing is simply not a business requirement.
One of my customers has a special CA for issuing S/MIME certs to its own
internal end users. The end users are always surprised how easy they can
get a S/MIME cert within a minute. But the external partners are not
obliged to encrypt e-mail and they are not willing to do the necessary
work on their side. I already tried this 10 years ago with a PKI which
would have issued certs to external partners. They were not willing to
do their part even if made fairly simple.
=> Encrypting/signing must be made a business requirement in contracts.
That's the whole point. And there's no technical solution for it.
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
