[149630] in North American Network Operators' Group
Re: PGP,
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Fri Feb 10 13:02:00 2012
Date: Fri, 10 Feb 2012 10:01:06 -0800
From: Leo Bicknell <bicknell@ufp.org>
To: NANOG list <nanog@nanog.org>
Mail-Followup-To: NANOG list <nanog@nanog.org>
In-Reply-To: <4F355803.4040402@unfix.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--VrqPEDrXMn8OVzN4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Fri, Feb 10, 2012 at 06:46:43PM +0100, Jeroen Massa=
r wrote:
> The problem still lies in the issue that most people, even on this very
> list, do not use PGP or S/MIME. (and that there are two standards does
> not help much there either ;)
The problem space is still certificate management.
I bet (nearly) everyone on the list uses an e-mail client that can
decode S/MIME. mutt, pine, Outlook, OSX Mail, gmail, they all do
it. We all have browsers that do SSL.
OSX at least has a central certificate store (Keychain), although
it's not up to the tasks of the world I wish to have. Other OS's
provide no central store, so each application maintains their own
key store. We have a very real problem of pre-loading the key
store, for instance root certificate trust for X.509 certificates.
We need a central certificate store on every platform, easy, secure ways
to transfer/sync it (to say, moble devices), and a bit of UI goo.
Imagine a capability as simple as being able to add a description to a
cert in your key store. I should be able to download my bank's cert,
verify it (call and check finger print, check a trusted third party,
web of trust, probably multiple ways, automated, would be best) and then
tag it "Leo's Bank".
When I get e-mail from it, or go to it with my web browser it should now
say "Leo's Bank" in all of my software, telling me not only do I have
the little padlock, but it's the certificate I personally validated.
When I click on a link in e-mail it should pass the URL AND KEY to
the next program (e.g. my browser). My browser can then silently
load if they are the same, or give me a big pop up "The person who
sent this e-mail is different from the person who runs this web
site."
It's all UI. No new technology, protocols, encryption formats or other
things are needed. It's making end user software act in a responsible
way.
Of course I'd also prefer my bank allowed me to provide my certificate
to them, and they crypto authenticated me (perhaps in addition to
passwords and pins). This should all be two-way.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBTzVbYrN3O8aJIdTMAQJLaA/+JUuEAXsDPCxHsLCVwGfw6HHB7G5DB71R
VhuRucsmmsS1yvbSNtbdQIdNyZhq5q4jscQBtXXHzIohl9ftK1NQ5m5i5wGV0xgd
hOqLK1C9Skoa49qCuUEQrjnON3n8VC73LmRPjd//Qro6+4SLPQC76+02qu+RfR6p
kn8pIljKcjF3yVGrrEaUyvAwuidEWF9Fa25MlGk5tCZruJnzYffo2azNDSVkv3ze
Bmzl/kDCcqHFYBGocV8YcCk03PJdcqTp0JIK9vdy0GEh6YkIpNkyew8D0fINCCvu
A9w7fnKk3cNIiHm38LvqnSBb5SvriRzm1hpjpk4qgRmvtRmsf8XqV+D8+Ntqfsw+
C+xa05GKPx+aQNGZPgYRnq9+lhIsRteFYUYe2bg0AduEbb3QtuebM10x3BgcCRpo
7NQCDtCnOo4KDyV+a+qEyoGeLSea3FBIuWsLkg+oIgjsegNVISX9J0HSdEn8MS5E
07FowBUjpjEtnUPVToAyggenzNEfR8dmIXxJsfJnzli/HegGh3+1tjGU49HGa/8L
fqWyYEvd0/i0EMtrr233z8NHPJRCTmEFcNMclMnJSvuUoE3L/XbWS3u2zFUNavAY
SeIRn5Kg4uYbZrfJMfD+KNbhPwKNAwp1uo3mXYshdKulS5hWWzQmqneWIRUPEJAR
1W5jG4RxigY=
=jKXC
-----END PGP SIGNATURE-----
--VrqPEDrXMn8OVzN4--
