gpgsm and expired certificates
Uwe Brauer
oub at mat.ucm.es
Mon Nov 4 23:43:43 CET 2013
>> "MFPA" == MFPA <expires2013 at ymail.com> writes:
Hello
> There are already several private sector CAs who provide free S/MIME
> certificates in the hope that punters may take one of their paid
> products instead or in addition. Potential sales is their incentive to
> provide some products free. What would be a government's incentive to
> provide them free of charge instead of charging for the admin? And
> what would a government based CA bring to the party that is not
> already available?
> If all we are talking about is email encryption to protect people's
> email from being read in transit, a self-signed certificate takes care
> of the encryption without the need for a CA. The only value in using a
> recognised CA rather than a self-signed certificate is convenience for
> the recipient, whose MUA is likely to automatically "trust" a
> recognised CA but would need to be "told" to accept a self-signed
> certificate.
Ok let me try to answer this point by point. Before doing I want to
emphasise that I am taking a very pragmatic point of view here.[1]
- NSA (among others) has abused its resource to read email
worldwide at a very large scale.
- so if a lot of people, say 30 % of all users would encrypt their
email, then NSA statistical approach would *not* work that smooth
and this is a good thing.
- so encrypting email should be easy and look trustful for a
majority of users
- usually public/private key based methods are considered relative
secure (Even Snowden claimed that you could rely on them), this
does not mean that the NSA could not read your email. They would
usually try to enter your machine installing a keylogger or
something like this. But this is beyond the statistical method I
mentioned above.
- if I understand correctly the real problem is not security of the
the cipher but the authenticity of the sender and so the most
common attack is a man in the middle attack. This is true for
both smime and gpg. So comparing fingerprints of public key is a
good thing, which most of us, I presume, don't do.
- from my own experience I am convinced that smime is much easier
than gpg[2] for reasons I am not going to repeat here. (I got 7
out of 10 of my friends/colleagues to use smime, but 0 of 10 to
use gpg.)
- one of the reasons some of them hesitated was the fact that the
certificates were offered by some commercial company they did not
know and trust.[3]
They would have had installed it from a government based
organisation, say the ministry of justice though.
- so if some government based organisation would do what say commodo
does it would send a signal to the public that it takes privacy
seriously and I think it would encourage more people to use smime.
- Private certificates, are unfortunately no solution. Yes it is
possible with openssl to generate them, I have done that
myself. However it is very difficult till impossible to convince
the main email programs, such as outlook, thunderbird or Apple
mail to use them or to use public keys sent by such
certificates. [4]
Uwe Brauer
Footnotes:
[1] I must add that I don't share your general view about government
based organisations. I still hope that abuse is the exception not
the rule..
[2] although pgp seems technically better, since some implementations of
smime allow a relative short symmetric key
[3] (Besides these companies have a certain business model and their
free certificates last short and expire usually after one year.)
[4] I finally managed to use them in thunderbird, but is was
complicated not something the regular user would like to do.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5556 bytes
Desc: not available
URL: </pipermail/attachments/20131104/f6089fd2/attachment-0001.bin>
More information about the Gnupg-users
mailing list