ietf-openpgp
[Top] [All Lists]

Re: v4-only keyanalyze

2003-03-17 02:26:13

On 3/16/03 6:51 AM, "Werner Koch" <wk(_at_)gnupg(_dot_)org> wrote:


On Sat, 15 Mar 2003 18:57:14 -0500, Jason Harris said:

Summary:  strong and reachable set sizes are reduced by about 50%.

Frankly, I expected such a result.  So we have a good reason not to
deprecate v3 keys used for key signature.  "an existing v3 key MAY be
used for key certification" sounds reasonable.

Again -- I want to say more about what "deprecate" means. It does *not* mean
to get rid of things. It means, in plain words, "Don't do this any more,
because it's going away."

Deprecating V3 keys would mean something like saying that they ought not (I
pick that because I don't want to presume a SHOULD or MUST) be created. One
ought not make any *new* ones.

It could also mean that we would say that existing V3 keys ought not certify
keys -- or that such certifications ought to be V4. There's nothing wrong
with making a V4 signature with a V3 key, don't you know.

I think it is far more significant that 91% of all keys are V4. This tells
me that we can safely deprecate V3.

It is my opinion that any information about "set sizes" is a canard for
several reasons.

* Since no one is saying that deprecating means eliminating said keys, this
is a straw man argument.

* OpenPGP does not specify a trust model, and "reachability" is not even
part of the traditional PGP Web of Trust. Such discussions are
extra-OpenPGP.

* This does not take into account another factor -- that of the "security"
of the keys. This is also one of the things that is beyond OpenPGP and even
any discussion of public key cryptography.

There's a paradox we deal with. On the one hand, the most secure keys are
the new ones. Older keys are more likely to have become compromised. On the
other hand, older keys are the ones that are more connected. They have to
be.

I'll bet that if you look at the most connected V3 keys, you'll find few if
any of them less than a year old. Even less than two years old. An analysis
of "reachability" that does not consider key age at all is flawed, unless
you subscribe to the radical notion that the age of keys doesn't matter.
(Now, to be fair, I have in the past argued this notion myself, but I know
I'm being a radical when I do that.)

However, that's not germane to this discussion. Let me repeat myself.
Deprecating V3 keys does not mean saying existing keys should be immediately
swept away. Eventually, sure. But I'd say that the date at which we should
declare existing V3 keys to be no longer viable should be *after* a
reasonable lifespan of a key.

    Jon