From: "Perry E. Metzger" <perry@imsi.com>
Date: Sun, 12 Feb 95 10:03:08 PST
To: "W. Kinney" <kinney@bogart.colorado.edu>
Subject: Re: the problem that destroyed PGP
In-Reply-To: <199502121757.KAA12098@bogart.Colorado.EDU>
Message-ID: <9502121802.AA19017@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



"W. Kinney" says:
> This isn't a criticism of PGP's key certification paradigm -- PGP allows
> centralized certification (I see a few keys signed by SLED, for instance),
> and it also allows me the flexibility of having mutual certification within
> the circle of people I mail regularly. But web of trust _in and of itself_
> is not proving to be effective when applied to the problem of providing
> reliable key certification on the scale of the internet as a whole. 

I think the jury is still out on that. Web-of-trust is still really
untested because of the difficulties in widespread deployment of
PGP. As it stands, PGP is still a hacker's toy -- the lack of a
library or an easy to use global key distribution infrastructure mean
that we have yet to see what can be done. I think that mutually
authenticating organizations with small trust pyramids within the
organizations, but without a global key pyramid, may come to prove
very practical.

Perry