Hello,
You are wrong in this regard: PGP is widely
adpopted (and what is your definition of
"the world"?). And it makes perfectly sense
to have both worlds.
I won't argue with that...
But the trend is not in favor of PGP.
OpenPGP offers a completely different trust
model which suits the needs of some users
very well (you can establish a web of trust
with anyone without overhead) while S/MIME
(or better: X.509) uses a centralized, CA-
based model. For some applications I would
never trust a commercial certification
authority, so in X.509 you have to operate
your own CA...
You are wrong!
You can use self-signed certificates in a trust model similar
to PGP.
Both S/MIME and OpenPG are standards (S/MIME
v.1 was more or less proprietary stuff),
you might have a look at the according IETF
working groups (http://www.ietf.org/).
True... I know... But S/MIME standard is the one which is
implemented in every mail client program... not PGP...
Well, you might have a look at KMail, which
uses all the GPG 1.9 stuff. I was impressed
by having a key manager, a smart card daemon
and the easy interface of gpg-agent. This
framework does far more than any PKCS11-
implementation: For exampel it is able to
handle revocation lists and OCSP-queries.
This enables applications to use S/MIME without
re-inventing the wheel.
You don't understand what PKCS#11 is!!!!
Maybe that is the reason for all of these arguments...
PKCS#11 is an API needed to access cryptographic token.
PKCS#11 is NOT OCSP or PKI or X.509. It just specify how
application should access a cryptographic token that can
perform hashing, symmetric and asymmetric key operation, key
handling etc...
A typical application need to use PKCS#11 __ONLY__ for the
following purposes:
1. Perform operation with private key located on token.
2. Fetch X.509v3 Digital Certificates from the token (User
identities).
So please be fair: Both S/MIME and PGP have
their advantages and disadvantages. And GPG
seems to be on the way to be able to handle
both. This sounds like a good idea to me.
I am sorry, but I don't agree.
I don't find any advantage to keep OpenPGP formats. There is
PKCS#7 for signed/enveloped data and S/MIME that uses PKCS#7
for email.
Using self-signed certificates and PKCS#7 and S/MIME you get a
full replacement for PGP... It will take several years, but
eventually it will happen.
Even pgp corp (www.pgp.com) understood that its future is in
S/MIME and PKI, so they adjusting their product toward it.
My initial request was to consider supporting PKCS#11 standard
in order to access keys that are located cryptographic tokens,
in stead of using a proprietary card format... This should be
done regardless of our small debate regarding S/MIME and PGP.
I hope you read more regarding PKCS#11
www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html and
understand its role in cryptographic application and that gpg
can benefit from it.
Best Regards,
Alon Bar-Lev.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
