ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: expediency and avoidance of politics

1997-11-25 14:45:04
from [Ian Grigg] [Permanent Link] 
Adam Back wrote:


It seems to me that the debate over CMR and it's more secure
alternatives could easily be deferred to OpenPGPv2 with no
compatibility issues.

...

Avoiding, or deferring the political debate seems like it would be a
good idea for a number of reasons:

- it would allow us to focus on getting OpenPGPv1 out in a timely
  manner.


Agreed.  The existance of the CMR/AAR field could erupt again I guess.


- it would allow more time for PGP Inc to get feed-back on this
  controversial experimental feature from their customers as to how
  CMR performs functionally in practice (I am expecting there will
  be complaints about the lack of ergonomic recovery from forgotten
  passphrases -- all files have to be re-encrypted), how the security
  of the system holds up (how well companies are managing very
  sensitive CMR master keys), and to gauge customers acceptance of the
  feature politically.


I'd also add that it would allow more time to actually develop internal
experience with this method.  The design as I understand it has existed
on paper for some time, and within the code since pgp5.0, but has not
really been deployed until recently at test sites.

Such a change of infrastructural import needs to be put in the field for
some time before we could really state that it is working how we
intended.  As there's no evidence that any experience  has been gained,
it remains in the "interesting proposal" basket, contents of which
aren't really ready for prime time WG consideration.


- it will give time for more secure competing proposals (such as local
  escrow) to be developed for recovery from forgotten passphrases.


Yeah, well, enhancement of competition, the level playing field, all
that interventionist stuff, is not really in the mission statement for
the IETF.  Not that I don't sympathise with your paper that is :-)


The consolidation phase would then be in OpenPGPv2 where the better
solution would be chosen in OpenPGPv2 for standardisation.


You could say that the choice phase is conducted in the market place,
and the acceptance phase is the job of V2.  But, in an absence of
competition, no choice is possible.  So no decision at this time.

(my incoming mail's been broken for a day or two, so this might be out
of time.)
-- 
iang                                      systemics.com

FP: 1189 4417 F202 5DBD  5DF3 4FCD 3685 FDDE on pgp.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  103-microsecond 2048-bit verification on a Pentium-133, D. J. Bernstein
Next by Date:  Re: expediency and avoidance of politics, Bill Stewart
Previous by Thread:  expediency and avoidance of politics, Adam Back
Next by Thread:  Re: expediency and avoidance of politics, Bill Stewart
Indexes:  [Date] [Thread] [Top] [All Lists]