Discussion regarding DebianLex/ProposedMetapackages.
Question : How is GnuPG or OpenSSL more appropriate for different aspects of confidentiality?
At Elaine's request I'll add some thoughts on this issue. Please take them as a draft and feel free to add/ammend anything you feel appropriate:
My feeling (only a feeling) is that GPG acts on the 'file' level, i.e., on user space level, while SSL communicates with the kernel; but I would like more knowledgeable people to give us a better explanation.
From a practical and quite locally conditioned point of view, I have experimented with the following:
- Using GnuPG for signing/encrypting e-mails with a key-pair generated by GPG as a halfway solution between unsigned/digitally signed communications; I also use it sometimes for signing or encrypting sensitive files. I don't use it as a proper digital signature, due to the limitations imposed by the argentinian digital signatures act (law # 25506, you can retrieve it -in spanish - from here: http://www.safjp.gov.ar/digesto_2/index/normas/LEY%2024241/Ley25506.htm), which declares to be legally binding digital signatures only those made with the certificates issued by certified issuing authorities (CAs) - which is a whole different story. I don't know if it can import the keys corresponding to these certificates (in PKCS12 format), I didn't try it for now (according to this page: http://wiki.cacert.org/wiki/PgpSigning it would seem that gpg can't)*. (you can retrieve mine -although it's old and expired- here: http://ca.sgp.gov.ar/eMail/searchCert.html , searching by last name). According to local law, it doesn't provide a full digital signature, because it cannot attest to the identity of the person holding the certificate; but it was anyway a good point to start practicing. btw, you will find a lot of certificates, since they expire every 6 months & I had to practice and insist a lot to make them work on linux browsers.
- On the other hand, SSL is the cryptographic protocol that enables the kernel to communicate securely over TCP/IP, as stated here: http://en.wikipedia.org/wiki/Transport_Layer_Security (so it seems that my first feeling wasn't that astray, was it?), it seems that any modern distro installs it almost automatically; it is required by the Public Key Infrastructure (PKI) that handles certificates, which seems to be somewhat incompatible with the way gpg handles keys. For a better description of the PKI, see here: http://en.wikipedia.org/wiki/X.509 and here: http://www.ietf.org/html.charters/pkix-charter.html . I've used SSL in connection with the previously mentioned certificate issued by the CA of the argentine government. As an aside, this certificate is only for signing, not encrypting.
I'm aware that this is by no means a comprehensive description and that each statement arises more questions, but I hope that I was able to convey the surface of the differences between both gpg and ssl from a practical (and quite personal) point of view.
*Searching a bit more on the possible interaction between gpg & the X.509 protocol implemented by the Public Key Infrastructure I found this: " .16) Why doesn't GnuPG support X.509 certificates? - GnuPG, first and foremost, is an implementation of the OpenPGP standard (RFC 2440), which is a competing infrastructure, different from X.509. They are both public-key cryptosystems, but how the public keys are actually handled is different. " ( http://www.gnupg.org/documentation/faqs.en.html#q6.16 ) . It seems to be another piece of software, called gpgsm, which can import PKCS keys, but I've never used it.
I have not had time to check out postbooks. I heard of it as a good accounting package, but it claims to be a full CRM. It may have been integrated into OpenMFG (which is for manufacturing). It is unclear how suitable the CRM is for case management.
I just dropped virtualaw and mozart because they seem to have been inactive for a while.
Kumula-cases is dependent on kumula, which itself is not yet debian-packaged.
SugarCRM is very active, and commercially oriented. It has a "community edition" which does fit the DSFG. Although its web pages include the term "case management", it is not clear how suitable it is for legal case management.
Removed jinterview. It has been inactive since 2005.
openevidence has been inactive for about 5 years.
openefm has been inactive for about 4 years.