Sendmail and GnuPG wrapper

Werner Koch wk@gnupg.org
Mon Jun 11 19:25:01 2001


 || On Mon, 11 Jun 2001 09:28:37 -0700
 || Claus Assmann <ca+gnupg@esmtp.org> wrote: 

 ca> Why do you want that? What's wrong with STARTTLS?

There are 2 advantages I can see:

  * Letting the MTA handle encryption opens an easy migration path to
    real desktop to desktop encryption.  As soon as some employees or
    the organisational structure of a firm are ready to use OpenPGP on
    the desktop they can simply do so and let the MTA still handle the
    rest of the traffic. 

  * OpenPGP is a well established standard (sort of) and there is no
    need to have MTA side encryption on both ends.  If you want to
    send something to a company which uses MTA based OpenPGP
    encryption (e.g. GEAM) you can use your regular MUA (like Mutt or
    Gnus) to do so.  It is entirely transparent.

 ca> If you want to give the private keys to the MTA then you should use

OpenPGP has a more advanced scheme for key administration.  For
example you can just keep the encryption subkey on the MTA and thereby
reducing the problems of key compromisation a lot - you can simply
change the encryption key if you think this is needed or even on a
regualr basis and thereby gaining some forward secrecy.

STARTTLS seems to be a good idea but unless DNSSEC can automagically
handle the key distribution it requires additional manual setup. It is
a pity that DNSSEC is moving forward so slowy.  And that bloated
Bind 9 thing is just another story.

ciao,

  Werner

-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus