lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200305091857.h49Ivib9010504@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: PGP vs. certificate from Verisign 

On Fri, 09 May 2003 13:22:27 CDT, Kamal Habayeb <mountainfury@...mail.com>  said:
> I'm trying to get some expert opinions on which is better.  Using Outlook
> 2002, would it be better to use PGP to encrypt messages or use the built-in
> option with a digital certificate from Verisign (or some other CA)?

Yes. ;)  (or more correctly, both are good solutions for different problems).

The *real* question is - is the threat model you're protecting against better
addressed with a web-of-trust defense or a heirarchical defense?

Basically, the PGP model works better if there's reason to believe that most
of the verifying will be done between people who know each other, or are likely
to have a large set of intermediaries in common ("I don't know who you are,
but 5 people I know all say you're Fred, so you probably are...").

The X.509 solution works better if there's little or no chance that the
entity you're encrypting from/to is previously known to you.

Alternatively, you have to ask the question "Do I trust my friends or Verisign
more, to make *SURE* that this entity is who they say they are?" (but make sure
to read http://www.cert.org/advisories/CA-2001-04.html and remember that this
incident is merely the most visible case of one of the single biggest problems
with the whole concept of X.509).

(Personally, I use PGP because the whole IETF/NANOG/security community is
fairly small and closed (perhaps 10K people, tops?), and PGP is a better fit
than X.509, which is which is designed for hundreds of millions of users that
you've never heard of before, and will never hear from again).
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030509/85eeb0d6/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ