Modernizing Web-of-trust for Organizations
Lou Wynn
lewisurn at gmail.com
Tue Feb 27 12:59:40 CET 2018
On 02/18/2018 05:55 PM, Ben McGinnes wrote:
> So you took a system built from the outset on a security model founded
> entirely on public key exchanges between distributed and federated
> (both self-determining and self-governing) nodes ... and then spent a
> considerable amount of time and effort making that system centralised
> in order to meet certain types of common business use cases ...
>
> ... with a software package which ships with a complete implementation
> of S/MIME as well ...
No, there is no S/MIME implementation because the PKI model it relies on
is inherently precarious for enterprise usage because of using
third-party certificates. Once a 3rd party CA is trusted, all users it
certified becomes trusted while those users have no business
relationship with the enterprise.
> Hmm ...
>
> Okay, I just have one question:
>
> *Why?!*
The short answer is that neither S/MIME's PKI or OpenPGP's web-of-trust
is suitable for organizational uses in term of defining trusted people
for the organization. In addition, current clients of both require
considerable efforts at the end-user side to configure and use. For a
longer analysis, here is a white paper:
https://www.cs.utah.edu/~luzhao/pub/doc/autonomous-certificate-authority.pdf
Thanks,
Lou
>
>
> Regards,
> Ben
More information about the Gnupg-users
mailing list