Should I use S/MIME?
Mark H. Wood
mwood at IUPUI.Edu
Mon Nov 8 14:02:08 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm not prepared to address the original question, but some of the
responses are dancing around an issue which, in my opinion, is too little
discussed.
On Sat, 6 Nov 2004, Simon Josefsson wrote:
[snip]
> If someone knows of a public X.509 CA that issue you a certificate if
> you prove possession of a private key and an email address, I am
> interested and would recommend it to others. Heck, even one that give
> you a certificate and a private key if you prove possession of an
> email address would suffice.
Whether that is a good idea or not depends on what you (as the sender,
*or* as the recipient) want an identity document to mean. If it's good
enough to be able to strongly suggest that the sender of message A and the
sender of message B are the same (possibly unknown) person, then these
essentially anonymous certificates should suffice. If, on the other hand,
someone wishes to identify the sender of a message with some entity or
event outside the realm of e-mail (and there are legitimate reasons to do
so) then more investigation is needed to bind the certificate to that
other identity.
I wouldn't give much weight to the word of a CA which depends on e.g. AOL
to supply real-world identity checking. I don't know what the ISPs do to
identify people, beyond assuring themselves that the checks are bankable.
I'd accept such a certificate as usefully meaningful if I received it
physically from a known individual described by the certificate.
(Yes, I'm well aware that my own PGP key is as yet signed only by me. I'm
still looking for a way to find someone *known to me* who also uses PGP,
and meanwhile it at least allows me to tell people personally that they
should discount messages appearing to emanate from me which are not
signed.)
- --
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Open-source executable: $0.00. Source: $0.00 Control: priceless!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQFBj25Us/NR4JuTKG8RAiALAJ9vygAJritjTD9r2U1RkVuLDzO/agCgohZ8
dK4f/C8GMf9ktspSRzGsWJ0=
=4rzC
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list