ietf-openpgp
[Top] [All Lists]

Other OpenPGP tasks

2008-06-14 07:11:47

I was not paying attention for the discussion about the WG shutting down,
and would have brought this up then, but it seems that shouldn't affect us
much anyway.

In addition to the remaining drafts that have been mentioned recently
(including my WHIRLPOOL draft, which is blocking on a good, free citation,
though that should be fixed next week), I see a need for IETF guidance in
two other areas.

1. The trust calculations on key rings, AKA "the web of trust."

This is currently treated as out of scope of OpenPGP's message format and
up to the implementor. While I agree it doesn't belong in 4880, I think
that we would benefit from having a standardized trust metric algorithm.
The one in PGP is pretty sound, in my opinion, but has some arcane nits
that aren't obvious at first. I don't know if GnuPG calculates trust the
same way -- I'm pretty sure there are differences.

Minor differences in trust calculations are unlikely to lead to problems
-- it doesn't affect interoperability, and should only rarely cause
noticeable differences in behavior between implementations for the same
keyrings. Those aren't my concerns, though I'm sure that implementors
would like the ability to do trust calculations the way that the leading
implementations do them. I am, however, concerned about a 4880
implementation that decides to use a really broken trust calculation, such
as one that trusts keys six hops away on the signing chain, for instance.

So, an ID for Trust Calculation in OpenPGP seems like a good thing, both
from a "best practices" standpoint and a documentation of current
behavior.


2. Key servers. Last I visited this topic was about eight years ago;
Rodney Thayer and I had part of an ID written up describing HKP, the NAI
LDAP and LDAPS schemas, etc. I still have it if it useful, though it may
be mostly irrelevant now. But the question remains: as an implementor, if
I want to talk to the key servers, how do I do it? I'm sadly out of touch
with the key server operators community these days, and am not even sure
what the dominant key server software is (aside from the Global Directory,
which is a special case), but I think this issue warrants further work.
We've had quite a long time to come up with a stable key server interface;
let's document it so that it remains that way.


Thoughts?



Best,

Len

<Prev in Thread] Current Thread [Next in Thread>
  • Other OpenPGP tasks, Len Sassaman <=