Ian Grigg wrote:
David Sternlight wrote:
Another flaw in the web of trust and PGP is now revealed and comes home
to roost. Now that PGP Inc. has deep-sixed RSA in new free versions,
not only does everyone with an old RSA key have to generate a new key
but also a complete new set of signatures and web of trust must be built
if they wish to use the "better" algorithms. And the new keys must be
distributed to correspondents, either directly or by "pull" from
servers. This took years the first time--perhaps the second time it will
be a bit faster.
Slow down David. You are right that there are now two WoTs and they
don't look like getting back together, assuming good takeup on the
freeware pgp5.5.
However, the new Open PGP format does have the ability to separate out
your signing key from your usage keys. I think there is an ability to
sign keys of different algorithms, as in SSL V3. Is that the case?
Dunno. My purpose in posting this to the Open PGP list was to point out that
Open PGP needs a mechanism, if it hasn't already been created, that will
avoid invalidating or slicing off an entire web of trust structure if a
crucial algorithm changes. There's nothing like a worked example to clear
minds.
David
In contrast, with S/MIME-Verisign-Netscape/Microsoft if they were to
change the algorithm you just generate a new key and get one certificate
and you're done. And as you e-mail your correspondents using your new
certificate, they get a copy of your new key automatically.
And some say PGP's trust model is "better". Can you say "needs work",
boys and girls?
The work *is* being done. I agree that the PGP Inc schedule leaves the
customer cold or dead, and this WG perplexed, but the direction is
reasonable.
--
iang systemics.com
FP: 1189 4417 F202 5DBD 5DF3 4FCD 3685 FDDE on pgp.com
smime.p7s
Description: S/MIME Cryptographic Signature