-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For the record: The RIPE NCC has no plans to stop supporting existing use of PGP. Havard Eidnes wrote: | | I'll have to agree with Måns; forcing X.509 handling and software | as the only option for securing e-mail with the registration | services mailboxes onto the LIR community is not something I see | as particularly welcome. | | Today the LIRs have the option of securing communication with | auto-dbm using PGP. This means that there is some deployment in | the LIR community for using PGP already. Thus, I'm puzzled why | the option of continuing to use PGP with the registration | services mailboxes (hostmaster@ripe.net etc.) is not on the table | as options. Yes, I can see there would be problems, but I have | not seen any discussion which makes it clear why these problems | are insurmountable (and I doubt they are). The basic reasons to choose X.509 for e-mail are: 1. We don't have to develop key management tools. Such technology isn't rocket science - a public key upload form on the LIR Portal for instance - but security is hard to get right, and people who are experts in it have done the hard work for us if we use X.509. 2. Having the same authentication for all communication would be nice. This is not (easily) possible with PGP. You'd need a password for the LIR Portal and a PGP key for e-mail communication. | I'll admit that I'm not familiar with usage of S/MIME in e-mail, | so I don't know how invasive usage of that is going to be. | However, it seems clear to me that if introduction of S/MIME and | X.509 will impose restrictions on what e-mail clients can be | used, one is intruding on an area where there may be emotional | reactions, and the proposal as it stands does not really address | those issues. Any technology for securing e-mail restricts client choice. Among the e-mail clients that members use, there is superior "out of the box" support for X.509 than PGP. I say this based on the research that we did in response to concerns about S/MIME compatibility. As others have noted, we can support both X.509 and PGP. We can also support *only* PGP, although I think because of #2, above, this is not a good solution. Although the basic question of "do we need this at all" still seems open to me. In some ways, security is like insurance: it is only a problem if you don't have it after you should have. Ignoring the "PGP versus X.509" question, does the membership want us to support signed e-mail at all? What about encrypted e-mail? - -- Shane Kerr RIPE NCC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAPNVHAO5deE6kXkcRAn74AKCZ3RM/r1Qw+6/lwK7vnNVVgnlNTACdEox/ OlOQcmhwJD1Zqql0aJ5gtdU= =wWNp -----END PGP SIGNATURE-----