Sendmail and GnuPG wrapper
Werner Koch
wk@gnupg.org
Mon Jun 11 19:25:01 2001
|| On Mon, 11 Jun 2001 09:28:37 -0700
|| Claus Assmann <ca+gnupg@esmtp.org> wrote:
ca> Why do you want that? What's wrong with STARTTLS?
There are 2 advantages I can see:
* Letting the MTA handle encryption opens an easy migration path to
real desktop to desktop encryption. As soon as some employees or
the organisational structure of a firm are ready to use OpenPGP on
the desktop they can simply do so and let the MTA still handle the
rest of the traffic.
* OpenPGP is a well established standard (sort of) and there is no
need to have MTA side encryption on both ends. If you want to
send something to a company which uses MTA based OpenPGP
encryption (e.g. GEAM) you can use your regular MUA (like Mutt or
Gnus) to do so. It is entirely transparent.
ca> If you want to give the private keys to the MTA then you should use
OpenPGP has a more advanced scheme for key administration. For
example you can just keep the encryption subkey on the MTA and thereby
reducing the problems of key compromisation a lot - you can simply
change the encryption key if you think this is needed or even on a
regualr basis and thereby gaining some forward secrecy.
STARTTLS seems to be a good idea but unless DNSSEC can automagically
handle the key distribution it requires additional manual setup. It is
a pity that DNSSEC is moving forward so slowy. And that bloated
Bind 9 thing is just another story.
ciao,
Werner
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus