I believe that one reason why encrypted email, and digitally-signed documents, are not as popular as we would want them to be is the inconvenience of distribution/authentication of our public keys. If I do not have the money to get my public key certified by Verisign then I must use GNUpg, and get my peers/friends to sign my public key and hope that others would trust my friends' signatures. This can result in a personal key with a dozen or so signatures affixed by my friends. Or I could use an openssl-generated public-private key pair (which is really more useful because the popular browsers already understand SSL, but if my certificate is self-signed, no one would trust my certificate either. Why can't life be much simpler? Why can't the same server that handles your mail also give out certified public keys of people whose mail it handles anyway. This simply means that when you apply for email service, you have to come in person, bringing with you proof that you are really this person (passport, employment id, etc.), together with your openssl-generated public key (on a diskette, in your Palm PDA, on your IrDA-enabled phone, etc.). The email service provider than signs your public key and uploads the certificate to the mail server and possibly to the ldap server in charge of giving out public keys. You could also get the certificate on a diskette, in your Palm or phone, etc.).
What do you think? And why is this issue not even touched in the recently passed "electronic something" law of the Philippines? PMana _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
