What is needed is for someone in the PGP community to produce an
Internet-Draft documenting the PGP design, and explaining why it should
continue to live. That is, what are its non-PEM virtues? (E.g.,
Edward Vielmetti has suggested some reasons.)
Then, assuming enough agree that PGP should live, a way is needed for
PGP and PEM to interoperate. Because I, a "user", refuse to have to
I realize that someone else has already responded to this, but I feel
that I must as well. First of all, there is a document underway to
formally describe the PGP Protocol. I cannot (and will not) say any
more about this document, other than that it is based upon the
pgformat.doc letter which is distributed with PGP.
As for the rest, I don't believe that *anyone* here has the power NOR
the right to say "why it should continue to live". You have no right
to say whether a product is good or bad, that is up to the
marketplace. As such, the "PGP vs. PEM", as you so like to put it,
should be left open to the marketplace, the computer e-mail (and other
communication technology) users of the world. Let them make the
decision, since it is their use which will define the "standard".
I agree, at some level, that there should be only one (gee, I sound
like a character in a movie with swordfighting, don't I? ;-) However I
do not believe that anyone here has the right to say "It must be our
way". I do not mean to say that I believe that PEM should "be killed"
(as you seem to imply towards PGP). On the contrary, I think that PGP
has lessons to learn from the PEM formalization. Conversely, I think
that PEM also has a lot to learn from the PGP initiative.
Also, Rob, I was looking at your next message, in which you do tone
down your PGPicidal remarks ;-), at your list comparing PGP to PEM on
an RFC-basis!! You claim that "if PGP were so well engineered, it
would look a lot like PEM". I argue that at face value, it does look
a lot like PEM, if you ignore the much of the mask put on it.
First of all, you routinely state that there is "no spec". Well, in a
way that is true, there is no RFC, Internet Draft, or anything of that
order (although there has been working, deployable code for over a
year). However, there is the documentation that is distributed with
PGP that describes much of the format, however informal that document
is currently. (I agree, it is not enough, and this is being
remedied).
Second, you continually say "designed to fit with other protocols in
the Internet suite", and I ask, WHICH ONES? (This is a rhetorical
question.) At face value, it seems that it was designed to work with
SMTP, X.400, and X.500! Personally, I don't consider those viable
protocols in today's networking world. And again, personally, I don't
consider them viable in TOMORROW's networking world. Maybe in 5 years
or so, but not in the near, Internet-time-frame view.
Third, you state, under RFC 1423, "The algorithms, because ``the
protocol'' is algorithm independent", and under PGP you state "IDEA
and RSA ... (Selection based on confused info about DES and export
laws.)" I say to you, as I've said in the past, that PGP has in it
algorithm identifiers for all of the message digest, secret-key, and
public-key systems. So, the PGP Protocol *IS* crypto-algorithm
independent! As for confused selection of DES, well, given the $1M
DES key-search engine, I would forward that it was a bright decision,
way ahead of its time. Wouldn't you?
And again, under your RFC 1424, you say for PEM "Key Certification and
Related Services.", and for PGP you say "Not thought out yet;
different paradigm". Now wait a second, since when does a "different
paradigm" entail "not thought out"? This seems an extremely
egomeniacal view of the world, does it not?
I'm not saying that PGP is the end-off of cryptography, nor am I
saying that it is perfect. It has its share of problems, some of
which the PEM development team has answered. But please don't go
about bandering distaste for PGP when you clearly don't understand it
yourself. Your statements prove this fact.
Consequently, I would suggest that people take a close look as to why
some people like PGP over PEM, and maybe consider that PEM does have a
few things to learn from the PGP team. I would be the first to
acknowledge that PGP has things to learn from PEM! Again, I urge
people to have an open mind. One of the reasons that the Internet has
done so well is that people can generate new uses for old ideas,
taking things in directions that the original creator(s) may not have
even dreamed possible. Yet if those original creators developed such
a rigid structure that such change was impossible.... Think about it,
Rob.
-derek