[Wolves] PGP

Peter Evans zen8486 at zen.co.uk
Thu Aug 12 13:17:49 BST 2004

Actually the provision of digital certificates to individuals is very much a 
hot item at the moment.  I don't want to enter in a flame war, but central 
government are requiring that services be made available to the citizen 
electronically.  In order to do that they are mandating that certain 
authentication levels are met for 'sensitive' information.  This 
authentication is currently relying on digital certificates and whatever the 
pro's and con's of the whole scheme PGP's model of a 'web of trust' doesn't 
appear to meet the criteria for the highest levels of data.  Unfortunately 
neither does the current verisign model, although it does come closer.

The idea of a digital signature is two fold, firstly it confirms that the 
message was sent by the holder of the associated private key, which cannot 
actually identify the individual in either the PGP or Verisign trust model, 
but of more use it prevents the contents of the message being altered without 
alerting the recipient to this fact, providing they actually verify the 
message.  Even this is open to problems, as some of the recent PGP issues 
around address 'hi-jacking' has proven.

Do I think that we should have to digitally sign our messages for this list as 
a matter of course, no, not yet.  But I think there will come a time, soon, 
where people will choose to use it, or even where email clients (particularly 
corporate) will enforce the use of either personal certificates or corporate 
ones on all email.

By the way this topic seems to have generated a great deal of debate in the 
list, is this only due to the PGP/Verisign camp split?

Pete Evans

(Yup, I checked, this is definitely me.  Trust me, I'm a doctor - errr hang 
on, no I'm not)

More information about the Wolves mailing list