ietf-openpgp
[Top] [All Lists]

How many 2.6 users?

1997-10-30 20:57:02
-----BEGIN PGP SIGNED MESSAGE-----

Gene Hoffman wrote:

I think that comparing what is in use today (90K DSA/ElGamal keys versus
20K RSA keys) with how many total copies of an old piece of software
were distributed is a logical flaw.

I must admit that I don't know how the 4 million was calculated, and I
agree that it is not a rigourous comparison.  I would like to see some
rigourous numbers, but I wonder how to calculate numbers on a product
that was fundamentally distributed through informal means.  I say this
seriously because a lot of Systemics' product is like that - I simply
don't know how much is out there.

I grant that I am making an
assumption, but it would seem that the majority of keys in use would be
on the public keyring. Of these its clear that there is most likely a
majority of users with DSS/EG keys.

Well, let's assume not a majority, but half, because it makes the
numbers easy.  Also, of the 20k old keys up there, let's guess that
*all* them are from old software, and not new software.

That makes 40k copies of pgp2.6 out there in use today.  As in, double
the 20k.  I don't think that has any bearing with reality, nor the
figure of 4 million.  If the number was that low, why did PGP Inc bother
to keep the old algorithms in pgp5.0?

I happen to think the existing pgp2.6 user base is important, and I
address at long ranting length below.  Apologies to all for the length,
skip this mail if you are unconcerned.



A few observations:

1. Maybe not representative, but my own experiences over 4 or so years
of usage:  I don't know anyone (amongst those users I regularly
communicate with using pgp) that gets keys from servers, and who puts
keys on servers as a useful exercise.  I have indeed put my key up there
(and have done in the past) but I cannot recall anyone who has got it
off the server and sent me some encrypted email.  People just mail me
and ask me for the key.  That they do a lot.

( Perhaps we could ask the server sysadms:  of the keys on the servers,
what is the spread of 'gets' on those keys.  I.e., what percentage have
one get, what for 2, 3, ....  Wouldn't work if there were some automatic
key getters in operation, but I don't know of any. )

2. I suspect that the US cypherpunks use servers more than the people
that I communicate with regularly.  But not so as it has ever come up in
conversation that I can remember.

3. I suspect that server use has gone up dramatically because newer
mailers (Ian's Enigma and PGP Inc's pgp5.0 for example) will manage the
server interface for you.  That is, I wouldn't be surprised if the
reason that servers have many pgp5.0 keys is simply because pgp5.0 makes
it easy to put the keys up (and pgp5.x is sold without RSA, its an
extra).  Which means of course that one cannot conclude anything about
pgp2.6 user bases, but you might be able to conclude that pgp5.0 bases
is related to keys on servers.

4. Server use is sort of contradictory to the web of trust and key
signing ethos of PGP.  People meet to exchange keys and signatures.  The
culture of trust meant that you wouldn't use a key that you didn't
trust, and getting it from a keyserver without a sig was clearly
questionable in the strict diet of no-compromises security.

OTOH, professional pgpers exchange pieces of paper with fingerprints and
server references, and if you got a broad enough circle, you would find
that you could get a key off the server and find it signed by someone
you already knew.  That's only happened to me once though (and it wasn't
from a server), and hence, 2. above, I suspect it only really happens
with the cypherpunk crowd.  Which is to say, this is an idea for the
future, not indicative of the past.




I am beginning to wonder why there is such a divergence of opinion in
the importance and size of the pgp2.6 user base.  Are the business types
amongst us perhaps extrapolating the current sales data into an
understanding of the user community?

Focusing on the people you are selling your current product to, hell,
that's great, it sounds dumb not to focus on customers.  The problem is,
you are not ever likely to sell a copy to the majority of current
users.  That's because, like all freeware markets, most won't pay for
something they already have for free.  (Some will, which is what makes
it worthwhile to spread software via the freeware distibution method). 
We should also remember that there are a lot of users outside the US,
and I guess that doesn't really get analysed either due to the local
difficulties.

Unlike a sales-oriented organisation, the IETF process supports all
users, or at least the one I dial into every day does.  Those that don't
pay for product are just as valuable as the ones that do, and whilst we
sometimes pay lip-service to this notion, fobbing it off won't work on
the Internet.  The net was built by the non-paying kind of user - it
couldn't have been built by the paying kind, and those newbie companies
that want to make money on the net would do well to realise this early
on.

The base of users that exists today really is the pgp2.6 crowd, IMNSHO,
and the challenge facing those in the freeware area at least is how to
convert these people over to the new format.  If this user base wasn't a
significant number, then there would simply have been no reason to
bother having the old keys in pgp5.0.  If there was any possibility of
creating a majority market within 6 months of use, then it makes more
sense to drop the old algorithms and get on with the job.  Building a
pgp product with a single X/Y/Z suite of algorithms would have saved
some significant lump of the time, as well as cutting down the support
nightmare (and each bug report leading to a new sale :-)



Of course, this foolishness didn't happen, pgp5.0 went out there with
full compatibility (albeit via an optional paid extra).

But the issue keeps getting raised, so in order to clarify this
situation, let's find out.  How can we work out how many pgp2.6 users
are out there?  I've got one suggestion: post to cypherpunks these
questions:

    * what proportion of the people you use
      pgp with have started using ElGamal
      (or DH) keys ?

    * what proportions of the above are in
      cypherpunks, and what proportion are
      not in cypherpunks ?

This is a simple 2 by 2 matrix - done this way to show and skew of
cypherpunks talking to each other and being counted twice.

Any other suggestions?  We could all look at our key rings and count the
mix.  My own numbers: 1 versus 27 (all used within the last month). 
This of course would be biased given the group but my own experience
reflects one biased key only :-)  Feel free to send me privately the
result and I will count them and report.

As an absolute lower limit:  count this ratio within PGP Inc, and we can
be sure there arn't less than that proportion.



This standards body must take that on board who the current user base
is, notwithstanding that the majority us want to sell software.  If we
are to make a case that this body of users is to be disenfranchised in
any way, it must be on very strong grounds, by unbiased analysis. 
Elsewise, this is not a standards organisation for users, but one for
some other interested parties.  Not in the IETF spirit of things at all.

- -- 
iang                                      systemics.com

FP: 1189 4417 F202 5DBD  5DF3 4FCD 3685 FDDE on pgp.com

-----BEGIN PGP SIGNATURE-----
Version: Cryptix 2.21

iQCVAgUANFlXAJUdDk1bRs+FAQET1AP+IaRCHioXKmHNlYBlDv0Rme+Kamd3w+LX
rK1jyw6aTWLSlIl63Dz4X+8ShyCJDsSetxtTFC7M6lK4yUoPpG0lM3pQtQ4r+VuD
+qv6pvpeXDI9QoYh1FAkfQfFnmyjpfL+i+hTh121lxZ4mi5RYc4MnpS4U5FNcQjc
pQORPJa3U88=
=5sqy
-----END PGP SIGNATURE-----