On Wed, 23 Mar 1994, Steve Dusse wrote:
Does anyone else think the flexibility to support the RFC 1422 trust
model as well as alternate trust models is a good idea ?
Count me in. The RFC 1422 trust model is really just a special case of
the direct trust model, and I believe that the extra flexibility will be
beneficial while PEM usage grows. Let's let the market decide what is the
best trust model in the long run.
The only semi-convincing argument for staying with RFC 1422 seems to be
that of scaleability. But, let's not forget that the main use of
privacy-enhancement features at present is for communication between
private parties. You can normally count the number of regular contacts on
your fingers, which makes them easy to verify directly. For other more
casual contacts, you would have to be clinically paranoid to require that
all keys be signed back to the IPRA. If you're that paranoid, then you
probably still won't be convinced unless you can verify the key directly,
so all the scaleability in the world won't save you. :-)
I think that PGP has fairly convincingly demonstrated that direct trust
has its uses, and I think that RFC 1422 demonstrates how scaleability can
be acheived when one gets beyond a circle of friends. Let's have both.
Cheers,
Rhys.