BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Relevance of PGP?

Subject: Relevance of PGP?
From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
Date: Sun, 12 Jun 2011 17:21:36 -0400
In-reply-to: <000101cc2839$7a487e80$6ed97b80$@nedharvey.com>
References: <BANLkTi=rH1vLCPpgO+cjCrt21XAsuUfe5Q@mail.gmail.com> <000401cc2767$b41595d0$1c40c170$@nedharvey.com> <BANLkTikqAn8XoMc4mzkteUtoEWxh_39PcQ@mail.gmail.com> <000101cc2839$7a487e80$6ed97b80$@nedharvey.com>

On Jun 11, 2011, at 9:14 AM, Edward Ned Harvey wrote:
> 
> But you can certainly establish all the same external context using S/MIME
> or PGP alike.  The only difference is whether or not you HAVE TO establish
> external context.

You have it backwards.  PGP/GPG do not require the use of the external verification channel.  They can be used just fine with blind trust that the sender or signer is who he claims to be.  The difference is that with S/MIME I am required to trust that the CA has not been compromised, but with PGP/GPG I have an independent verification mechanism.

Let me give you two real world examples.  The first is trusting PGP/GPG blindly.  Install Debian over the network.  There.  You've just blindly trusted that the signatures on all of the packages were made by the valid Debian keys.  No web of trust or external verification required.  No different from using S/MIME signatures.

The second:  Several jobs back I had to communicate with a little company working on a sensitive project.  Their preference was to use PGP for encryption.  We -- the person I was dealing with specifically and myself -- exchanged keys.  We then called each other in turn and verified the fingerprints of our respective keys.  This verification was not required to use PGP, but the option is there and the company insisted on using it.

That verification would not be possible with S/MIME.  There is no validation mechanism besides the CAs with S/MIME.  We would both need to trust that our CAs had not been compromised.  This company was unwilling to make that assumption.

The company?  Rohr Industries (now owned by Goodrich).  At the time, circa 1997, it was a Lockheed contractor on the X-33 programme.  Rohr had justifiable concerns over both foreign and domestic espionage and they chose PGP instead of S/MIME for communications with other contractors.

S/MIME is not the same as PGP/GPG.  It is not a religious argument.  It is a clear, technical distinction.

--Rich P.

References:
- [Discuss] Relevance of PGP?
  - From: jabr at blu.org (John Abreau)
- Relevance of PGP?
  - From: blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org (Edward Ned Harvey)
- Relevance of PGP?
  - From: bill.n1vux-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Bill Ricker)
- Relevance of PGP?
  - From: blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org (Edward Ned Harvey)

Prev by Date: Small Form Factor PCs
Next by Date: Relevance of PGP?
Previous by thread: Relevance of PGP?
Next by thread: Relevance of PGP?
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org