On 03/01/2011 10:51 AM, Matt Willsher wrote: > My point is rather: why not just use X.509 keys and certs and why use > GPG/PGP at all? X.509 is multi purpose, well adopted and well trusted.
X.509 is certainly widely adopted, but that's about all you can say for it. well-trusted? not so much. here's a few links to get you started: http://www.freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model https://www.eff.org/observatory https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl http://www.cs.auckland.ac.nz/~pgut001/pubs/rsa2011.pdf And due to its single-issuer-per-cert design, X.509 is intrinsically antithetical to the decentralized model that freedombox needs to follow: http://lair.fifthhorseman.net/~dkg/tls-centralization/ To be clear, I'm just arguing against adoption of X.509 as a certificate format for the FreedomBox. My argument does not cover: * message encryption and signature formats (e.g. PGP/MIME vs. S/MIME) * transport layer tunnelling and authentication (e.g. TLS) these are separate decisions from the certificate formats, and should be made separately. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
