Christian Barmala wrote:
>
> I consider PGP more secure than S/MIME, because you have more control
> over each step and you get the source.
Such a general statement is not valid. This really depends on the
implementation. Note that implementations for both protocols had
their security flaws in the past...
> "Nelson B. Bolyard" <[EMAIL PROTECTED]> wrote:
> > While I appreciate that S/MIME is based on certificates, I think of
> > that as a flaw in S/MIME, not a benefit. As you know, getting a
> > certificate means giving all your information (and some money?
> > I know it costs money
> > for a secure website) to some big company that personally I don't
> > particularly trust at all.
One can issue self-signed certificates and operate S/MIME just like
peer-to-peer web-of-trust with PGP. That's not a protocol issue.
Personally I suggest that even mid-sized companies run their own CA.
Other people prefer a globally acting CA. Everything's possible and
the trust model is simply your own choice.
> On Thursday, April 26, 2001 5:03 AM "Ben Bucksch"
> <[EMAIL PROTECTED]> wrote:
> > I did try to use that at some point. I was turned off by the fact that
> > existing clients (Messenger 4.x, maybe also Outlook [Express]) on the
> > recipient side boldly mark my certificate as INVALID in the UI. This
> > scares recipients too much - not workable.
>
> That's also an issue with my CA. You have to import my root
> certificate and because I don't verify the user's identity in
> any way, you have to decide whether to find you own method to
> do this e. g. by registering your
> "Fingerprint" at the personel department,
I'm really curious how you guys would implement it in a better way.
Please make suggestions how to make it more clear to users that a
public-key is not trusted without scaring them. I'm pretty sure that
the Mozilla folks will be happy about thoroughly thought suggestions
for the UI.
Again properly placing trust is a boot-strap PKI problem, not an
issue whether you're using PGP, S/MIME with X.509 certs, DNSSEC or
whatever PKI system. There are various papers describing these
problems in details. I'd suggest reviewing these papers.
Ciao, Michael.
