gpgsm and expired certificates

Uwe Brauer oub at
Mon Nov 4 23:43:43 CET 2013

>> "MFPA" == MFPA  <expires2013 at> writes:

   > There are already several private sector CAs who provide free S/MIME
   > certificates in the hope that punters may take one of their paid
   > products instead or in addition. Potential sales is their incentive to
   > provide some products free. What would be a government's incentive to
   > provide them free of charge instead of charging for the admin? And
   > what would a government based CA bring to the party that is not
   > already available?

   > If all we are talking about is email encryption to protect people's
   > email from being read in transit, a self-signed certificate takes care
   > of the encryption without the need for a CA. The only value in using a
   > recognised CA rather than a self-signed certificate is convenience for
   > the recipient, whose MUA is likely to automatically "trust" a
   > recognised CA but would need to be "told" to accept a self-signed
   > certificate.

Ok let me try to answer this point by point. Before doing I want to
emphasise that I am taking a very pragmatic point of view here.[1]

    -  NSA (among others) has abused its resource to read email
       worldwide at a very large scale.

    -  so if a lot of people, say 30 % of all users would encrypt their
       email, then NSA statistical approach would *not* work that smooth
       and this is a good thing.

    -  so encrypting email should be easy and look trustful for a
       majority of users 

    -  usually public/private key based methods are considered relative
       secure (Even Snowden claimed that you could rely on them), this
       does not mean that the NSA could not read your email. They would
       usually try to enter your machine installing a keylogger or
       something like this. But this is beyond the statistical method I
       mentioned above.

    -  if I understand correctly the real problem is not security of the
       the cipher but the authenticity of the sender and so the most
       common attack is a man in the middle attack. This is true for
       both smime and gpg. So comparing fingerprints of public key is a
       good thing, which most of us, I presume, don't do.

    -  from my own experience I am convinced that smime is much easier
       than gpg[2] for reasons  I am not going to repeat here. (I got 7
       out of 10 of my friends/colleagues to use smime, but 0 of 10 to
       use gpg.)

    -  one of the reasons some of them hesitated was the fact that the
       certificates were offered by some commercial company they did not
       know and trust.[3]
       They would have had installed it from a government based
       organisation, say the ministry of justice though.

    -  so if some government based organisation would do what say commodo
       does it would send a signal to the public that it takes privacy
       seriously and I think it would encourage more people  to use smime.

    -  Private certificates, are unfortunately no solution. Yes it is
       possible with openssl to generate them, I have done that
       myself. However it is very difficult till impossible to convince
       the main email programs, such as outlook, thunderbird or Apple
       mail to use them or to use public keys sent by such
       certificates. [4]

Uwe Brauer 

[1]  I must add that I don't share your general view about government
     based organisations. I still hope that abuse is the exception not
     the  rule..

[2]  although pgp seems technically better, since some implementations of
     smime allow a relative short symmetric key

[3] (Besides these companies have a certain business model and their
       free certificates last short and expire usually after one year.)

[4]  I finally managed to use them in thunderbird, but is was
     complicated not something the regular user would like to do.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5556 bytes
Desc: not available
URL: </pipermail/attachments/20131104/f6089fd2/attachment-0001.bin>

More information about the Gnupg-users mailing list