It sometimes seems that folks are designing this in a vacuum. Think
about those of us that have been using PGP/GPG in all its forms for
the better part of a decade.... Let's learn our lessons.
Bob Lord wrote:
>
> There will be a preference to get certs from a directory server. The
> client will perform that lookup automatically if you have the preference
> configured correctly.
This is an incredibly bad trust model. How did you verify that the
transaction with the directory server is secure/trusted?
You think that it doesn't matter whether the server is trustworthy,
because the CA signature verifies the certificate? Uh-uh. Too many
holes have been found in the past for that to be true.
Since when do we "trust" email addresses, anyway? The only way we can
trust the recipient is upon verification of a communication round trip!
The certificates should only be fetched and stored in the address book,
and some count of successful verifications of incoming messages should
be kept as well.
The address book should have a checkbox for "send messages encrypted",
something like "prefers HTML".
The user should be queried EVERY time about trust for that recipient,
indicating the number of successful verifications, until such time as
the checkbox is flagged.
> The current UI shows a pref which only allows the
> user to select one LDAP server and it sounds from your comments below
> that you anticipate having a large number of users who will need to
> select several LDAP servers.
>
Of course! We do already!
> Regarding the need to select among multiple encryption certs: I
> anticipate a pref which is basically the same as the SSL client-auth
> pref: manual select vs. auto select. You and I might want to select
> manual select to resolve ambiguity. Other people may want to have the
> client automatically select a cert.
>
On what basis?
Newest cert? (could be MITM replacement)
Oldest cert? (will never migrate to newer cert)
> Regarding selecting expired certs: do you anticipate such a need? When
> might it be appropriate to use an expired cert?
>
When you don't have anything better.
> It sounds like you'd like to have overrides for the basic prefs on a
> per-message basis. How common do you think this configuration would be?
> In other words, what percentage of users would want to have more than
> one cert per email address/account?
>
What percentage of users do now? (I see a lot, but I hang with folk
that have been using PGP for years, and generate a new cert every year.
I only have 3 myself.)
In PGP, I can sign wsimpson@greendragon mail with wsimpson@watervalley,
and I like that feature, especially when I'm moving correspondence
between machines.
And for a reality check, I expect that many early adopters will have
PGP, PKIX, SPKI, and even KeyNote certificates, and need to select
among them.
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
