Reply to post: Re: I think the real reason PGP succeeded...

Cryptography whizz Phil Zimmermann looks back at 30 years of Pretty Good Privacy

dajames Silver badge

Re: I think the real reason PGP succeeded...

Actually you're paying for the private key and the certificate that encapsulates the public key which is signed by another key or by the private key. But for brevity I said key.

No! You should be generating the keyset (public and provate keys) yourself and keeping the private key securely where nobody else gets to see it. It really is supposed to be private. What you may have to pay for is the certificate, which depends only on the public key.

And as far as trust goes, there would be nothing stopping a CA from selling its services and signing a PGP key just like they do now for certs.

Quite so ... though PGP's concept of a Web of Trust rather suggests a community in which members sign each other's keys for the common good. Methinks a paid-for signing scheme would not fit well into that philosophy.

It's important to appreciate that the difference between PGP and a PKI is as much to do with philosophy as with the difference in software and data formats. You can build a PKI around PGP, just as you can use self-signed X.509 certificates to form a Web of Trust -- by why would you?

So now CAs are the problem ...

The problem isn't CAs. The problem is that most people don't understand that unsigned EMail could have come from anyone, and don't understand that unencrypted EMail could be read by anyone ... and don't understand that there is something that they could do about it. The issue needs to achieve more public recognition, and security needs to become accepted as a commonplace part of doing business online.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon