ietf-openpgp
[Top] [All Lists]

Re: Principles and Principals

1997-09-25 02:26:56
-----BEGIN PGP SIGNED MESSAGE-----

DNSSEC is better than nothing, but it is no substitute for key
certifications by people you know and trust.
 
Absolutely. I'm just not sure how well the system can scale further than
people you know and trust. While the technology is there to do very
complex trust webs, incorporating large and small-scale CAs as well as
friends, I think the human concept of 'trust' is stretched a little by
this. SPKI is quite elegant in the way that all key trust is local; in
practice, I rarely currently find a key with a trusted certification
path to it. And that's in the rather incestuous Internet community. Once
significant percentages of the world's population are on-line, it could
all become horribly complex. I agree that the current PGP model is great
for guerilla groupings. I just wonder how good it will be for thousands
of millions of people who may want to write to (say) an address on a Web
page, or reply to a message on a mailing list - i.e. communicate with
someone entirely as a virtual entity rather than a physical one. There,
I think DNSSEC can be a big help, although of course not a panacea.

However, my main point is about distributing keys, not certifying
them...

We looked into putting PGP certificates into the DNS as an alternative...
You still have the reverse lookup problem

Might the IETF draft 'The DNS Inverse Key Domain'
(ftp://ietf.org/internet-drafts/draft-ietf-dnssec-in-key-00.txt) help
with this? However, if we set up an e-mail-only keyserver system, people
will always know the e-mail address of the sender. As I said, I'm not
sure if I can see many other situations where it is more efficient to
set up a full-scale key distribution system rather than simply supply
the relevant public key certificate along with a signed object.

at this point it looks like LDAP and HTTP are more
promising approaches for key distribution.

How are you planning to create a distributed system with this approach?
With a similar system to PGP5, putting an X key lookup header in a
message?

Ian >:)

-----BEGIN PGP SIGNATURE-----
Version: Cryptix 2.21

iQCVAgUANCouP5pi0bQULdFRAQELRQP7B2RlTC2/0eiXD4LApCmDCzFradO2y3qDMTMyuS18sAeg
yuA/2x4gowJOIVWq6s07K79ZfvxmlB5JPN7VGaf+qttLzjXAgjphqbSdVFfOaKaFkADgRM/xH9Z3
/Ggyr2uFx4oKlhvbDndB/EMrL8G/6xyQTcw4d8qTDJ3/C+gGY1U=
=dIPu
-----END PGP SIGNATURE-----

<Prev in Thread] Current Thread [Next in Thread>