[email protected] wrote: > The root-evil of PKI is raising its ugly head.... > Once designed as all including directory, and later extended for > off-line usage with kludges like revocation-lists and expiring > certificates. :-(
There is however not really an alternative. PGP keys for example never expire (which is kind of possible with X.509 certificates by making them valid for 100 years). Even though it is possible to sign PGP keys, most PGP keys are not signed. Whether a PGP is trusted should be decided for each individual key. PGP doesn't support a general certificate revocation mechanism (CRLs). You can decide to skip all PKI features, like using never expiring certificates, do not use CRL etc. Then PGP and S/MIME are kind of similar. Then you have some other proprietary solutions like Voltage IBE but these are only usable for a closed setup. Not that this helps you in any way but if there was a good alternative I would probably have used it. If I would have enough time I would create add-ins for most email clients to be more pragmatic when it comes to PKI rules (in the past I actually created several S/MIME email client add-ons but that was with a different company). Explain more and allow users to override the default PKI behavior. Most S/MIME clients are not built by technicians that didn't think about the end-user. Instead of having the email client doing all PKI checks perhaps the gateway should do it for the end-user. This way the gateway can do more detailed checks and the PKI strictness can be set by the administrator. > It's a pitty that only a few people try hard to get signing/encryption > usable. Djigzo is a Tool in the right direction but i think we need more > to get S/MIME usable by non-Geeks in large scale. True. Like for example a public certificate directory. We also need more pragmatic email clients that allows certain overrides. > BTW: It seems that Bouncy Castle which is included in Djigzo support RFC > 3161 extension. May i ask if you could check how difficult it may be to > include something like timestamping in Djigzo? I'll need some time to look at the documents. If it would be added how are you going to check the signature? Kind regards, Martijn Brinkers -- Djigzo open source email encryption _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
