[messaging] Thoughts on keyservers

Mike Hearn mike at plan99.net
Mon Aug 18 08:16:57 PDT 2014


Hi Bruce,

Nyms looks cool. It'd be nice if the website contained a more explicit
comparison against S/MIME and the existing PKI, as in many ways it sounds
quite similar structurally, just with different wire protocols.

For example if I go here:

http://www.comodo.com/home/email-security/free-email-certificate.php

then my client agent (browser) generates a key, uploads a request to sign
the key, the notary (CA) sends me an email containing a challenge nonce
(clickable URL) that I use to prove that I control that email address, they
then sign using keys stored inside an HSM and the client agent (browser)
then downloads and installs the given cert so other apps (e.g. Mail.app)
can find it. Although for the free certs I believe Comodo does not run a
directory, other CA's do and they can be accessed via LDAP, which in theory
at least email clients already know how to do cert lookups from.

Nyms sounds like the same thing but with a different software and protocol
stack, along with tweaks like making the expiry period much shorter and
requiring multiple certs from multiple CAs. The upside to that is you get a
clean slate and don't have to deal with X.509 and LDAP (ick). The downside
is you lose all the existing infrastructure which has been built up over
many years.

So the question in my mind is - is it easier to redo it all from scratch,
or is it easier to upgrade the existing infrastructure for this, by (for
instance) running better CA's?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/a008f8ac/attachment.html>


More information about the Messaging mailing list