On Sat, Jul 25, 2015 at 8:19 AM, Paul Wouters <paul(_at_)nohats(_dot_)ca> wrote:
On Fri, 24 Jul 2015, Werner Koch wrote:
PHB wrote:
2) If people find it does not meet OpenPGP needs, they should say so and
have no qualms about objecting. It is much more important that there be a
spec people use than that the document progress quickly.
This document has not progressed "quickly". The original draft was
published in July 2013. No one is trying to rush this through
I am quite happy waiting till 2016 or 2018.
If it isn't done right its better not to publish at all.
I was a bit disappointed by the process: I learned about the I-D too late
and was surprised that it started out at the OpenPGP WG mailing list (2
years ago?) with just a few messages and then continued at the DANE list
without having notified the OpenPGP list.
This is now the fourth time I am having this discussion with you, so I
think your representation is not entirely fair. The previous discussions
ended with you saying we should not do this and stick to the CERT record
type and me stating why I disagree with that view.
Ummm watch your attributions, that is Werner, not me.
The DANE group has been rather ineffective in getting the constituencies
they purport to be serving to buy into their proposal.
Additionally, because the CERT record is a meta-container record,
support for CERT is not good because to properly parse it you need
all of openpgp and all of x509 and all of what other subtypes would
be added later on. So instead of implementing CERT records partially,
many DNS implementations just did not bother with it at all.
All of X509 isn't a big barrier. Took me a week, four days of that was
writing the Assinine One compiler. I am not aware of any major crypto
package that doesn't have the ability to parse X.509 certs. Werner isn't
the only person who has a PKIX package in his OpenPGP library.
Back in 1990 the idea of using OpenPGP to avoid the need to mess with
Assinine One made arguable sense. Today its a lost cause. I stopped
fighting that battle in 1995.
The CERT record is more flexible because it also allows the use of an
indirect specification via fingerprint.
Which is a problem not a feature. It makes the security model very
complex.
No, the security model is complex because you are trying to use a vast,
aging and vaguely understood infrastructure with a byzantine administrative
model to provide security.
Failing to accept that fact is one of the many reasons people are skeptical
of this project and looking for ways to work round it.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp