At 9:13 AM 2/21/95, Jueneman(_at_)gte(_dot_)com wrote:
Having recently reviewed PGP in more detail, thanks to the book passed out at
the Internet meeting, I'm don't quite agree with you. Other than some of the
unpleasantness between Bidzos and Zimmerman and the appeal of PGP to the
"counterculture McGovernites," I don't see much wrong with PGP for a low to
medium assurance encryption (primarily) and digital signature system. And I
don't care about "winners" and "losers," so long as we end up with a workable
system for high assurance transactions in the end.
Bob,
Why try to tag PGP encryption as being of "low to medium assurance?" Isn't
its encryption every bit as strong or stronger than PEM?
Steve
Steve, to the best of my knowledge the digital signature algorithms and the
message digest algorithms are the same, so that's a tie with respect to
signatures. The IDEA algorithm uses a 128 bit key, and so on the surface would
appear to be significantly stronger than DES, on the order of triple DES from
the standpoint of exhaustive search. However, a Rubix cube also has a gazillion
different combinations, but can be solved in a minute by a bright 10 year old
(no one over 10 need apply, however.) My point is that IDEA has not had nearly
the amount of cryptanalytic effort poured into it that DES has, and so as far
as I am concerned the jury is still out. On the other hand, we know that single
DES can no longer be considered strong enough to protect important data. Is
128-bit IDEA stronger than 56-bit DES? Who knows? I'd like to see PEM adopt
triple-DES and be done with it.
That wasn't what I meant by assurance, however. Although PGP uses a different
format for its certificate than X.509, they are more or less equivalent in
principle. PGP allows multiple people to sign certificate, and bases its trust
model on how many of those signers the individual user knows and trusts. In a
sense, every user is potentially a CA, and certifiers/CAs that might be a
little shaky from the standpoint of key management, etc., can be reinforced by
requiring N-person control -- multiple signers. So even though the certifier is
using software-based encryption instead of something like the BBN SafKeyPer box
to sign certificates, the use of multiple certifiers presumably lowers the risk
of compromise.
So far, this makes a lot of sense, and in many ways is more flexible and
perhaps even more sound than PEM's model of an authoritative top-down model
that provides strong controls over the syntactic validation of a signature but
little if any controls over the trust that might be associated with a given PCA
or CA under the IPRA.
Where PGP falls down, at least in the current version, is that the mechanisms
for certificate revocation are rudimentary. Certificates don't have expiration
dates, and there is no requirement that users check a repository to see if a
certificate has been revoked. (Of course PEM's implementation of CRL's,
especially the distribution of them, isn't something to brag about too much
either.)
In addition, there are no constraints other than an individual's judgement as
to what kind of identification should be required before signing someone's key,
and there are no contractual or other kind of binding agreement between a
certifier and a user. As a result, it would be very difficult to sue a
certifier, even for gross negligance. The use of multiple signers alleviates
the problem to a certain extent, but it also dilutes the responsibility.
L:ikewise, when a user generates his certificate, he is free to include almost
anything he likes as a "name" field. There is not necessarily any tie to the
user's organization, and it is somewhat unlikely that individual certifiers
would actually check to see if a person's residential address is correct.
Of course, there is nothing to prevent an individual PGP user from taking the
position that he will only trust certifiers with whom he _does_ have a
contractual relationship, and require that they only "introduce" people in
accordance with a particular policy, albeit one that is not necessarily widely
published. Such a user could also insist that only users with smart cards be
certified, if that is the desired policy. So if the IPRA published certificates
for all of the PCAs in PGP format, a PGP user could make use of the PEM
hierarchical trust model just fine.
I can hear lots of people saying, "what's wrong with all of that -- that sounds
pretty good to me." And if you are trying to protect messages between college
students rather than trying to sign contracts for oil tankers, in fact the
system is pretty darned good. There may be some problems of scalability,
depending on how many friends you have, but that could be solved by the
introduction of having organizations sign certificates rather than individuals
-- colleges, banks, USPS, etc., just as PEM will (eventually) do.
I think the real differentiation will come when PEM adopts X.509 v3, for that
will allow all fo the policy issues to be spelled out and enforced much more
easily and efficiently. Of course, if the PGP community wanted to, they copuld
adopt X.509 v3 (or their own alternative) as well, in PGP version 3.0.
We'll have to wait and see what happens.
Bob
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Internet: Jueneman(_at_)gte(_dot_)com
FAX: 1-617-466-2603
Voice: 1-617-466-2820