Mutt/GnuPG-Outlook-plugin diffs / Support for Microsoft's .epf, .pfx, .p12 ?

gabriel rosenkoetter gr at
Thu Feb 12 19:44:38 CET 2004

On Thu, Feb 12, 2004 at 05:23:46PM -0500, Luis R. Rodriguez wrote:
> I believe you have confused the identify tags (.vfc) allowed by Outlook
> and the certs we're discussing.

That's probably not the case, since I've only "Oh, look, they've got
a preference setting involving digital signatures" experience with
what Outlook calls digital certificates, and my only experience with
vCards is the vague memory that Mac OS's Eudora knows what they are
and I've seen one or two attached to emails and ignored the
attachments. :^>

That is, I don't think it's possible that I could have confused
these two things, since I have, at best, vague and fluttery
knowledge of each.

(I hope I didn't give the impression I knew more than this; I
certainly didn't intend to.)

> No, sorry, it doesn't just ask you for an e-mail, and your name.. It
> brings you to a page where you can *purchase* a certificate. Among the
> companies listed is VeriSign. 

Okay, well, there's another reason not to use this method of
cryptographic signature: it costs money. It costs money
legitimately, of course, since VeriSign and (less dispicable, imho)
companies like them employ people whose job it is to verify that you
really are who you say you are before they sign your certificate.
This is, in certain ways more attractive for business
correspondence: PGP is nice, but it's inherently a system based
around personal relationships. It feels a bit forced in business
relationships. This is probably no small part of the reason we use
certificate systems, rather than PKI systems, for cryptographic
authentication and encryption of data on "secure" web pages.

As an example: for the first time since I've been working there,
and probably the first time ever, a customer of my employer requested
that we verify the signature on our public key, sent to them so
that they could FTP PGP-enciphered files to us. This is definitely
not part of my job description, but I'm probably one of three people
in an 800-person company who understood the request.  Of the other
two: one's the CTO, and the other was busy fixing either the Cisco
router or the Exchange server. No other customer (much less
employee) has ever recognized that a third party could simply have
replaced the public key we sent to the customer with their own if
they wanted the data. Granted, we'd have noticed rather promptly,
but the damage could easily have been already done. No, I don't
like this, but it's pretty far from the top of my list of things
that need fixing.

> The .vfc (vCard File) files just seem to be another bad idea by MS to 
> bloat e-mail traffic with uncessary/unwanted attachments just to allow
> recipients to view a sender's detailed contact info (mind you,
> sometimes there are just empty).

Are vCards really a Microsoft invention? My first experience with
them was, as I said, within Mac OS (classic) and Eudora, so maybe
I'm tainted by that, but I had the impression that they weren't
actually invented in Redmond, but merely embraced (and, I would
habitually assume, extended) by Microsoft.

gabriel rosenkoetter
gr at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : /pipermail/attachments/20040212/b4b52809/attachment.bin

More information about the Gnupg-users mailing list