--On Wednesday, February 25, 2004 18:03:04 +0100 Shane Kerr <shane@ripe.net> wrote:
Any technology for securing e-mail restricts client choice. Among the e-mail clients that members use, there is superior "out of the box" support for X.509 than PGP. I say this based on the research that we did in response to concerns about S/MIME compatibility.
Please elaborate, because I have a hard time to find an email client not supporting an ASCII-armored PGP message, but there are tons of them frowning on x.509 attachments. Some of us actually do the equivalent of: $EDITOR ripe-template.txt gpg --clearsign ripe-template.txt | /bin/mail <somebody@ripe.net> for our RIPE communications.
As others have noted, we can support both X.509 and PGP. We can also support *only* PGP, although I think because of #2, above, this is not a good solution.
I would argue that it is the other way around; given the forced choice of "only one" the broadest support exists for PGP.
Although the basic question of "do we need this at all" still seems open to me. In some ways, security is like insurance: it is only a problem if you don't have it after you should have.
Ignoring the "PGP versus X.509" question, does the membership want us to support signed e-mail at all? What about encrypted e-mail?
Given the mess an evil person can do by creatively adjusting records in the routing database, I suggest that RIRen must actively promote the use of technologies that protect our infrastructure; thus, signing should be more or less mandatory, and encryption should be available for secure out-of-band communications -- this then more human-to-human, to solve strange issues, send sensitive data, and so forth. rgds, -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE