Re: The web of trust has no clothes.1997-11-24 20:55:06Ian Grigg wrote: David Sternlight wrote:Another flaw in the web of trust and PGP is now revealed and comes home to roost. Now that PGP Inc. has deep-sixed RSA in new free versions, not only does everyone with an old RSA key have to generate a new key but also a complete new set of signatures and web of trust must be built if they wish to use the "better" algorithms. And the new keys must be distributed to correspondents, either directly or by "pull" from servers. This took years the first time--perhaps the second time it will be a bit faster.Slow down David. You are right that there are now two WoTs and they don't look like getting back together, assuming good takeup on the freeware pgp5.5. However, the new Open PGP format does have the ability to separate out your signing key from your usage keys. I think there is an ability to sign keys of different algorithms, as in SSL V3. Is that the case? Dunno. My purpose in posting this to the Open PGP list was to point out that Open PGP needs a mechanism, if it hasn't already been created, that will avoid invalidating or slicing off an entire web of trust structure if a crucial algorithm changes. There's nothing like a worked example to clear minds. David In contrast, with S/MIME-Verisign-Netscape/Microsoft if they were to change the algorithm you just generate a new key and get one certificate and you're done. And as you e-mail your correspondents using your new certificate, they get a copy of your new key automatically. And some say PGP's trust model is "better". Can you say "needs work", boys and girls?The work *is* being done. I agree that the PGP Inc schedule leaves the customer cold or dead, and this WG perplexed, but the direction is reasonable. -- iang systemics.com FP: 1189 4417 F202 5DBD 5DF3 4FCD 3685 FDDE on pgp.com
|
|