Re: [Full-Disclosure] PGP vs. certificate from Verisign

• Previous message: bob: "[VulnWatch] Firebird local root compromise"
• In reply to: Evans, TJ (BearingPoint): "RE: [Full-Disclosure] PGP vs. certificate from Verisign"
• Next in thread: Jason: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"
• Reply: Jason: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"
• Reply: Shawn McMahon: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Evans, TJ (BearingPoint)" <tjevans@bearingpoint.net>, full-disclosure@lists.netsys.com
Date: Sat, 10 May 2003 02:57:12 +0200

What I wonder - will Verisign have set up CRL servers yet? Remember the IE
problem when someone got hold of MS certificates? The MS-fix was
blacklisting them locally, the real problem was that there was no revocation
servers. Then again, how many concurrent connections would they get if MS
sent out a critical update?

So - stick to PGP - forget about PKI.
----- Original Message -----
From: "Evans, TJ (BearingPoint)" <tjevans@bearingpoint.net>
To: <full-disclosure@lists.netsys.com>
Sent: Friday, May 09, 2003 11:48 PM
Subject: RE: [Full-Disclosure] PGP vs. certificate from Verisign

> At one time, i.e. - don't know if it still the case - Thawte would issue a
> "personal cert" free.
>
> One advantage PGP has is the existing infrastructure for key distribution,
> so that you do not necessarily need to have someone's public key (yet) in
> order to encrypt to them or verify their signature. If they have pushed
it
> out to the publicly accessible key-servers you can get it as needed. But
> again - it depends on what problem you are trying to solve and your
> preferred method of doing so.
>
>
> TJ
> -----Original Message-----
> From: Anne Carasik [mailto:gator@mail.cacr.caltech.edu]
> Sent: Friday, May 09, 2003 3:46 PM
> To: Kamal Habayeb
> Cc: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] PGP vs. certificate from Verisign
>
> OpenPGP is free :) as are other implementations of PGP.
>
> Paying VeriSign to create a digital certificate for you
> is not worth it, considering most of the encryption you
> run into in the wild is PGP keys.
>
> -Anne
>
>
> Kamal Habayeb grabbed a keyboard and typed...
> > Greetings,
> >
> > I'm trying to get some expert opinions on which is better. Using
Outlook
> > 2002, would it be better to use PGP to encrypt messages or use the
> built-in
> > option with a digital certificate from Verisign (or some other CA)?
> >
> > Thanks,
> >
> > Kamal
>
>
>
>
****************************************************************************
**
> The information in this email is confidential and may be legally
> privileged. Access to this email by anyone other than the
> intended addressee is unauthorized. If you are not the intended
> recipient of this message, any review, disclosure, copying,
> distribution, retention, or any action taken or omitted to be taken
> in reliance on it is prohibited and may be unlawful. If you are not
> the intended recipient, please reply to or forward a copy of this
> message to the sender and delete the message, any attachments,
> and any copies thereof from your system.
>
****************************************************************************
**
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: bob: "[VulnWatch] Firebird local root compromise"
• In reply to: Evans, TJ (BearingPoint): "RE: [Full-Disclosure] PGP vs. certificate from Verisign"
• Next in thread: Jason: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"
• Reply: Jason: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"
• Reply: Shawn McMahon: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: SSL Server IDs ... Is Verisign the only option? ... > then self-sign using a certificate authority and then trust the ... >>problem is they are spread accross multiple servers, ... >>The Presidio integrates PGP data encryption and XML Web Services ... (Security-Basics) Re: [Full-Disclosure] PGP vs. certificate from Verisign ... PGP vs. certificate from Verisign ... If you don't need revocation, ... (Full-Disclosure) Re: RSA vs AES ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ... (sci.crypt) Re: Your digital ID name cannot be found by the underlying security system ... This morning I received email from VeriSign indicating that apparently I ... Although I do not have a private key recovery feature, ... replaced the certificate 3 times already and still it will not work. ... (microsoft.public.outlook) Hacking PGP WoT onto X.509 systems ... Certificate Authorities providing the be-all end-all ... PGP users certify other users' keys by signing the corresponding uids, ... belongs to the owner specified in the certificate. ... Direct signatures: PGP signatures on the X.509 ... (sci.crypt)