Quoth the stpeter:
“[JEP-0027] is limited to PGP keys and does not support X.509 certificates, Kerberos, RSA keys, etc.” — I’m not sure this is really a failing, since a smart Jabber client could generate PGP keys for users and thus hide the hard parts of generating and revoking keys.
Peter, are you saying that if my company of say, 140,000 employees, has a PKI that is based on X.509 certificates stored in LDAP I should reissue PGP keys to them all? I am at a loss here. How is this not a failing? If I have a pre-existing directory service that contains encryption keys, I sure would want to use them to…encrypt.
I would go further to say that while PGP may be a good base upon which to establish a web-of-trust, how many people use it that way? The only people I know professionally who do this are security specialists. A rather small subset of the entire body of people I work with every day. (It’s a bit of a different case when I’m talking about my friends and FOAF–they’re all geeks like me.)
I like the idea of using the roster as a proxy for the web-of-trust model. It could work. But the instant that–what was her name–Aunt Tillie is prompted:
Please select the correct key: 5B109954 2003-04-15 Hal Rottenberg 436D3C9F 2003-04-17 Hal Rottenberg
–then it’s all over.
Now now, let’s not pretend people can’t have two X509 certificates as well.
To be fair, SSL-style encryption and OpenPGP both suck for normal users. Normal users don’t like OpenPGP because they have a feeling it’s geeky, and they don’t like SSL because the process of getting a key is way too advanced for a mortal (as opposed to OpenPGP, which is relatively easy in this respect.)
I get the feeling that the only encryption that will ever “work” for IM on a grand scale would be something like Off-The-Record. Just reformulated in XMPP, instead of being a shitty plaintext hack.