Should I use S/MIME?
Mark H. Wood
mwood at IUPUI.Edu
Mon Nov 8 14:02:08 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
I'm not prepared to address the original question, but some of the
responses are dancing around an issue which, in my opinion, is too little
On Sat, 6 Nov 2004, Simon Josefsson wrote:
> If someone knows of a public X.509 CA that issue you a certificate if
> you prove possession of a private key and an email address, I am
> interested and would recommend it to others. Heck, even one that give
> you a certificate and a private key if you prove possession of an
> email address would suffice.
Whether that is a good idea or not depends on what you (as the sender,
*or* as the recipient) want an identity document to mean. If it's good
enough to be able to strongly suggest that the sender of message A and the
sender of message B are the same (possibly unknown) person, then these
essentially anonymous certificates should suffice. If, on the other hand,
someone wishes to identify the sender of a message with some entity or
event outside the realm of e-mail (and there are legitimate reasons to do
so) then more investigation is needed to bind the certificate to that
I wouldn't give much weight to the word of a CA which depends on e.g. AOL
to supply real-world identity checking. I don't know what the ISPs do to
identify people, beyond assuring themselves that the checks are bankable.
I'd accept such a certificate as usefully meaningful if I received it
physically from a known individual described by the certificate.
(Yes, I'm well aware that my own PGP key is as yet signed only by me. I'm
still looking for a way to find someone *known to me* who also uses PGP,
and meanwhile it at least allows me to tell people personally that they
should discount messages appearing to emanate from me which are not
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Open-source executable: $0.00. Source: $0.00 Control: priceless!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
-----END PGP SIGNATURE-----
More information about the Gnupg-users