Just a couple of points here.
Michael pretty much made this point, but I'd like to amplify it.
PGP's trust model is MUCH better for organisations that communicate mainly
within themselves. Since everyone in your organisation is probably
personally known by someone within one or two degrees of separation, the
concept of signed keys gives you much more faith that the message is
actually from who it purports to be from.
Organisations that want to verify their _internal_ correspondance would be
foolish to rely on a trusted third party. PGP offers much better tools for
this sort of thing. Including, I might add, the much-maligned "additional
decryption keys".
External CAs _cannot_ give you the same level of trust, and will tend to
lack flexibility when adding / removing employees, re-issuing certs etc etc.
Yes, you could set up an internal CA and _then_ use S/MIME, but that's only
a good plan if you need a PKI for other internal stuff as well. Even then,
in my opinion, you're placing too much faith in your CA and CA
administrator. PGP keys signed by several people offer more assurance -
especially if you've signed your correspondant's key yourself.
Where the Trusted Third Party model comes into its own is frequent
communication from people that you've never met _and_ nobody you trust has
met. My PGP key, for example, is useless to most of you. My name could be
Sharon Haxor, for all you know - as long as I had two or three people help
me with my ruse I'd be set.
If I had a Digital Cert, though, you'd have at least some vague indication
that I'm using my own name etc - although it's all down to how much checking
the CA does when issuing certs. Which is often not enough.
Anyway, I'm off rambling again. Think about trust, not product.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Michael T. Babcock [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 8 February 2001 9:16
> To: Jose Nazario; Naor Lipa
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: Auth. for mail messages
>
>
> PGP uses (almost) the same authentication model (public
> key-based signatures
> of key) as any other key hierarchy. The only difference is
> that with PGP,
> you can decide who to trust for yourself.
>
> As the IS manager, I create a key and then manually sign all
> the keys for
> other employees. My key is added to each of their key-rings
> and they then
> can trust any key with my signature on it. Key management
> becomes much
> easier than using "pay as you go" style authentication by a
> company who
> barely runs a background check.
>
> You can run your own PKI very easily using PGP's tools -- and
> you're in full
> control.
>
> ----- Original Message -----
> From: "Jose Nazario" <[EMAIL PROTECTED]>
> To: "Naor Lipa" <[EMAIL PROTECTED]>
> Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Sent: Wednesday, February 07, 2001 11:35 AM
> Subject: Re: Auth. for mail messages
>
>
> On Wed, 7 Feb 2001, Naor Lipa wrote:
>
> > We are using outlook 2000, and I am conidering using PGP plug-in for
> > them. Do you have any ideas?
>
> PGP's trust model is nice, but hardly bulletproof given it's
> a user based
> web of trust. have you condsidered S/MIME with a small PKI,
> one which you
> could integrate with other collaborators?
>
> ____________________________
> jose nazario [EMAIL PROTECTED]
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
