X.509

Security professionals involved in the support of enterprise-class public-key infrastructures tend to ridicule OpenPGP and the web of trust. They view the idea as naive and consider the implementation to be amateurish. Of course, they celebrate X.509 certificates as being the best that happened to humanity since the invention of the transistor.

A sad example for entirely inappropriate arrogance, isn't it? These "professionals" have, evidently, no fucking clue. At home, I couldn't care less whether my friend signs his mails with a $500 certificate guaranteeing that he is Mr. Thomas Hauenstolz, Jr., III in real life. I don't even know his actual name. I know he's a good guy, and that's the only thing which counts.

For my job, however, I got such a certificate, and I also have to use it. What really annoys me is the difficulty of installing and using it. First of all, one needs to download the certificate. Konqueror doesn't support the import of certificates at all. Opera imports all right, and exports happily, but the exported certificate doesn't import in gpgsm, which however is necessary to use the certificate for signing e-mails with kmail...

Firefox can import the certificate, but the export fails with a meaningless error message ("unknown general error"). Google tells me that the certificate will be exported correctly when the tor add-on is disabled. Of course! *slapforehead*

Now, gpgsm imports the certificate. I test the whole thing by signing mails with my shiny new certificate, and reveive mails from the equally proud owners of X.509 certificates. It works! After some time I just wonder what exactly occupies so much RAM...ohhh, I see: each operation with my X.509 certificate spawns at least two gpgsm processes, which will remain in RAM until the end of days. Why? Ask a security professional.