-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trejkaz wrote: > Peter Saint-Andre wrote: >> Now, neither OpenPGP or S/MIME enable you to repudiate what you said, >> and if people find that important then they would need to do >> JEP-0116 (or something very much like it, such as Gaim's OTR plugin). >> So in part the differences here come down to requirements and >> philosophy. > > Requirements are exactly it. The two camps will never agree on which > style of cryptography to use, because: > > In the pro-OTR camp, everyone thinks that cryptography should be used in > order to obfuscate what you said and remove traces that it was you who > said it. So OTR will appeal in use cases where you want some kind of > pseudo-anonymity. > > (OTOH, Normal Person + Internet + Anonymity = Total Jackhole) > > Then you have the pro-OpenPGP camp, people think that cryptography > should be used in order to be able to prove who said something, > _especially_ at a later point in time. This is useful particularly in > business, when someone wants to archive conversations for later auditing.)
This seems accurate to me. Personally, I have realized that I am more interested in identity than anonymity: http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13 Which is why the OpenPGP / X.509 approach has become more appealing to me than the OTR approach. But I also understand that something like OTR is valuable in certain contexts. E.g., if I were a dissident in a repressive society, I sure as hell would prefer OTR to OpenPGP/X.509. But I'm not a dissident in a repressive society, I'm an individual in what I hope can remain an open society, so I tend to prefer OpenPGP/X.509 these days. FWIW. :-) > X.509 certificates are certainly too hard to obtain for most users, > mainly because they're worth practically nothing without the signature > from the CA (CAcert is of course available for no cost, but it still > takes time: time users can't be bothered to spend.) Well, some people get X.509 certs as part of their organizational identity, so for them certs are easy to obtain. > With OpenPGP, creating the keys is easy, if not trivial. Getting them > signed (and hence trusted) takes the time. > > I guess you can blame a lot of that on the lack of a "simple" GUI for > signing keys (by "simple", I refer not to KDE or GNOME simplicity, but > MacOS simplicity.) > > I often wonder if an instant messaging client might one day provide that > simple interface... > > User: [initiates chat to a contact who has signed their presence] > IM Client: "Are you absolutely sure this person is the one you wish > to talk to? [Yes/No/Ask me again later]" > User: Yes > IM Client: [signs the key with a relatively low, but good-enough > trust value.] > > Add a nice indicator next to your contacts who have untrusted keys, and > you have yourself an OpenPGP GUI which is almost as useful as the more > advanced alternatives. It's not with "The Spirit" of OpenPGP where you > go and meet people in person, but it's certainly more realistic for the > ordinary user. The buddy list as the center of your trust universe? I like it. Peter - -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEDQ4hNF1RSzyt3NURAmTUAKCRggSvG3nRejQInhSeAn8ox3bBqgCgw1gK Vv88JPW40GwcRXDzU5OKInc= =qvI9 -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME Cryptographic Signature
