NAI pulls out the DMCA stick

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon May 27 22:37:54 PDT 2002


jamesd at echeque.com writes:
>On 27 May 2002 at 19:56, Peter Gutmann wrote:
>>jamesd at echeque.com writes:
>>>My impression is that S/MIME sucks big ones, because it commits one
>>>to a certificate system based on verisign or equivalent.
>>
>>I'll say this one more time, slowly for those at the back: What you're
>>criticising is PEM circa 1991, not S/MIME.  Things have moved on a bit
>>since then.
>
>You need a certification authority.  Every one you deal with has to
>acknowledge whatever certification authority gave you your certificate.
>
>[etc etc - standard description of original 10-year-old PEM certification
> model]

No, as I said before, what you're describing is PEM circa 1991, not S/MIME.  In
the S/MIME model, anyone can issue certs (just like PGP), including yourself.
In addition, many large CAs will issue certs in any name to anyone, so even if
you don't want to do your own keys a la PGP you can still get a Verisign cert
which behaves like a PGP key.

Rather than wasting all this bandwidth in a lets-bash-S/MIME-by-pretending-
it's-still-PEM debate (what is it with this irrational fear of S/MIME?), I'd be
more interested in a serious discussion on which key-handling model is less
ineffective, WoT or X.509-free-for-all.  At the moment both of them seem to
work by using personal/direct contact to exchange keys, with one side
pretending to be WoT-based (although no-one ever relies on this) and the other
pretending to be CA-based (although no-one ever relies on this [0]).  The end
result is that they're more or less the same thing, the only major
differentiating factor being that most X.509-using products don't allow you to
distribute your own certs the way PGP does.

Peter.

[0] With my earlier caveat about exceptions for government orgs who have been
    instructed to rely on it, or else.





More information about the cypherpunks-legacy mailing list