nanog mailing list archives
Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing)
From: Leo Bicknell <bicknell () ufp org>
Date: Fri, 10 Feb 2012 10:01:06 -0800
In a message written on Fri, Feb 10, 2012 at 06:46:43PM +0100, Jeroen Massar wrote:
The problem still lies in the issue that most people, even on this very list, do not use PGP or S/MIME. (and that there are two standards does not help much there either ;)
The problem space is still certificate management. I bet (nearly) everyone on the list uses an e-mail client that can decode S/MIME. mutt, pine, Outlook, OSX Mail, gmail, they all do it. We all have browsers that do SSL. OSX at least has a central certificate store (Keychain), although it's not up to the tasks of the world I wish to have. Other OS's provide no central store, so each application maintains their own key store. We have a very real problem of pre-loading the key store, for instance root certificate trust for X.509 certificates. We need a central certificate store on every platform, easy, secure ways to transfer/sync it (to say, moble devices), and a bit of UI goo. Imagine a capability as simple as being able to add a description to a cert in your key store. I should be able to download my bank's cert, verify it (call and check finger print, check a trusted third party, web of trust, probably multiple ways, automated, would be best) and then tag it "Leo's Bank". When I get e-mail from it, or go to it with my web browser it should now say "Leo's Bank" in all of my software, telling me not only do I have the little padlock, but it's the certificate I personally validated. When I click on a link in e-mail it should pass the URL AND KEY to the next program (e.g. my browser). My browser can then silently load if they are the same, or give me a big pop up "The person who sent this e-mail is different from the person who runs this web site." It's all UI. No new technology, protocols, encryption formats or other things are needed. It's making end user software act in a responsible way. Of course I'd also prefer my bank allowed me to provide my certificate to them, and they crypto authenticated me (perhaps in addition to passwords and pins). This should all be two-way. -- Leo Bicknell - bicknell () ufp org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Attachment:
_bin
Description:
Current thread:
- Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Richard Barnes (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Rich Kulawiec (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Corey Quinn (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jay Ashworth (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Leo Bicknell (Feb 10)
- PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Jeroen Massar (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Leo Bicknell (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Ryan Malayter (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Leo Bicknell (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) William Herrin (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Leo Bicknell (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Roland Perry (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Richard Barnes (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Valdis . Kletnieks (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing -Hammer- (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)