From the perspective of the average user (like my father, siblings, and most of my coworkers and customers), obtaining a PGP key is just about as complex as obtaining an x.509 certificate (CA- or self-signed). This means that user-friendly consumer-oriented software is going to end up generating the PGP key/x.509 certificate for the user. And if one needed stronger trust, then you'd require keys or certificates that are signed by a trusted authority anyway.
I don't see why one couldn't also apply this type of trust to self-signed (or even signed) x.509 certificates. As long as the certificate is valid, you can treat it as trusted if you're so disposed. At this point, it's no different than trusting unsigned PGP keys. Many of us already effectively do this everyday via our browser. It may not be considered the proper manner of working with certificates, but if I as a user decide I know better than the certificate chain, then that option should be open to me.
I'd like any standard that is developed to try and also accommodate organizations larger than mom and pop (or Aunt Tillie, or whatever the user-du-jour is now), and this is most likely going to mean the capability of supporting x.509 certificates.
But then, my opinion on how Jabber is going to take over the IM world are probably colored by my current employment (-:
Trejkaz wrote:
Peter Saint-Andre wrote:Now, neither OpenPGP or S/MIME enable you to repudiate what you said, and if people find that important then they would need to do JEP-0116 (or something very much like it, such as Gaim's OTR plugin). So in part the differences here come down to requirements and philosophy.Requirements are exactly it. The two camps will never agree on which style of cryptography to use, because:In the pro-OTR camp, everyone thinks that cryptography should be used in order to obfuscate what you said and remove traces that it was you whosaid it. So OTR will appeal in use cases where you want some kind of pseudo-anonymity.(OTOH, Normal Person + Internet + Anonymity = Total Jackhole)Then you have the pro-OpenPGP camp, people think that cryptography should be used in order to be able to prove who said something, _especially_ at a later point in time. This is useful particularly in business, when someone wants to archive conversations for later auditing.)Also in this camp you have all the people who were already using OpenPGP for some other reason, and therefore want to reuse their keys which they spent hours getting signed by dozens of people.But one thing that seems attractive about JEP-0116 is that it doesn't require end users to create OpenPGP keys or obtain X.509 certificates, both of which are hard for end users.X.509 certificates are certainly too hard to obtain for most users, mainly because they're worth practically nothing without the signature from the CA (CAcert is of course available for no cost, but it still takes time: time users can't be bothered to spend.)With OpenPGP, creating the keys is easy, if not trivial. Getting them signed (and hence trusted) takes the time.I guess you can blame a lot of that on the lack of a "simple" GUI for signing keys (by "simple", I refer not to KDE or GNOME simplicity, but MacOS simplicity.)I often wonder if an instant messaging client might one day provide that simple interface...User: [initiates chat to a contact who has signed their presence] IM Client: "Are you absolutely sure this person is the one you wish to talk to? [Yes/No/Ask me again later]" User: Yes IM Client: [signs the key with a relatively low, but good-enough trust value.]Add a nice indicator next to your contacts who have untrusted keys, and you have yourself an OpenPGP GUI which is almost as useful as the more advanced alternatives. It's not with "The Spirit" of OpenPGP where you go and meet people in person, but it's certainly more realistic for the ordinary user.TX
-- - LW "Got JABBER(R)?" <http://www.jabber.org/>
smime.p7s
Description: S/MIME Cryptographic Signature
