Peter Saint-Andre wrote:
Now, neither OpenPGP or S/MIME enable you to repudiate what you said,
and if people find that important then they would need to do
JEP-0116 (or something very much like it, such as Gaim's OTR plugin).
So in part the differences here come down to requirements and
philosophy.
Requirements are exactly it. The two camps will never agree on which
style of cryptography to use, because:
In the pro-OTR camp, everyone thinks that cryptography should be used in
order to obfuscate what you said and remove traces that it was you who
said it. So OTR will appeal in use cases where you want some kind of
pseudo-anonymity.
(OTOH, Normal Person + Internet + Anonymity = Total Jackhole)
Then you have the pro-OpenPGP camp, people think that cryptography
should be used in order to be able to prove who said something,
_especially_ at a later point in time. This is useful particularly in
business, when someone wants to archive conversations for later auditing.)
Also in this camp you have all the people who were already using OpenPGP
for some other reason, and therefore want to reuse their keys which they
spent hours getting signed by dozens of people.
But one thing that seems attractive about JEP-0116 is that it doesn't
require end users to create OpenPGP keys or obtain X.509
certificates, both of which are hard for end users.
X.509 certificates are certainly too hard to obtain for most users,
mainly because they're worth practically nothing without the signature
from the CA (CAcert is of course available for no cost, but it still
takes time: time users can't be bothered to spend.)
With OpenPGP, creating the keys is easy, if not trivial. Getting them
signed (and hence trusted) takes the time.
I guess you can blame a lot of that on the lack of a "simple" GUI for
signing keys (by "simple", I refer not to KDE or GNOME simplicity, but
MacOS simplicity.)
I often wonder if an instant messaging client might one day provide that
simple interface...
User: [initiates chat to a contact who has signed their presence]
IM Client: "Are you absolutely sure this person is the one you wish
to talk to? [Yes/No/Ask me again later]"
User: Yes
IM Client: [signs the key with a relatively low, but good-enough
trust value.]
Add a nice indicator next to your contacts who have untrusted keys, and
you have yourself an OpenPGP GUI which is almost as useful as the more
advanced alternatives. It's not with "The Spirit" of OpenPGP where you
go and meet people in person, but it's certainly more realistic for the
ordinary user.
TX
