Should I use S/MIME?

Mark H. Wood mwood at IUPUI.Edu
Mon Nov 8 14:02:08 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not prepared to address the original question, but some of the
responses are dancing around an issue which, in my opinion, is too little
discussed.

On Sat, 6 Nov 2004, Simon Josefsson wrote:
[snip]
> If someone knows of a public X.509 CA that issue you a certificate if
> you prove possession of a private key and an email address, I am
> interested and would recommend it to others.  Heck, even one that give
> you a certificate and a private key if you prove possession of an
> email address would suffice.

Whether that is a good idea or not depends on what you (as the sender,
*or* as the recipient) want an identity document to mean.  If it's good
enough to be able to strongly suggest that the sender of message A and the
sender of message B are the same (possibly unknown) person, then these
essentially anonymous certificates should suffice.  If, on the other hand,
someone wishes to identify the sender of a message with some entity or
event outside the realm of e-mail (and there are legitimate reasons to do
so) then more investigation is needed to bind the certificate to that
other identity.

I wouldn't give much weight to the word of a CA which depends on e.g. AOL
to supply real-world identity checking.  I don't know what the ISPs do to
identify people, beyond assuring themselves that the checks are bankable.
I'd accept such a certificate as usefully meaningful if I received it
physically from a known individual described by the certificate.

(Yes, I'm well aware that my own PGP key is as yet signed only by me.  I'm
still looking for a way to find someone *known to me* who also uses PGP,
and meanwhile it at least allows me to tell people personally that they
should discount messages appearing to emanate from me which are not
signed.)

- -- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFBj25Us/NR4JuTKG8RAiALAJ9vygAJritjTD9r2U1RkVuLDzO/agCgohZ8
dK4f/C8GMf9ktspSRzGsWJ0=
=4rzC
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list