From: “W. Kinney” <kinney@bogart.Colorado.EDU>
To: cypherpunks@toad.com
Message Hash: 0d24d53ff96c1d06e3e95f44765a481dd7f1a4430532e8bf2f2b6a045aa05719
Message ID: <199502121757.KAA12098@bogart.Colorado.EDU>
Reply To: <199502121727.MAA20000@crypto.com>
UTC Datetime: 1995-02-12 17:57:47 UTC
Raw Date: Sun, 12 Feb 95 09:57:47 PST
From: "W. Kinney" <kinney@bogart.Colorado.EDU>
Date: Sun, 12 Feb 95 09:57:47 PST
To: cypherpunks@toad.com
Subject: Re: the problem that destroyed PGP
In-Reply-To: <199502121727.MAA20000@crypto.com>
Message-ID: <199502121757.KAA12098@bogart.Colorado.EDU>
MIME-Version: 1.0
Content-Type: text/plain
Matt Blaze writes:
> I don't think anyone has suggested there's any one problem that
> "destroys" PGP. Several people have pointed out a number of problems
> that limit PGP's scalability in various ways. Its flat key ID
> namespace is one. Lack of functional modularity is another. Its
> fixed certification model is still another.
Certification really does need to be added to the discussion on scaling.
In the sense that I want to be able to download a stranger's key from
a key server and have some idea of its reliablility, web of trust has
turned out to be a real failure, IMO. There's no "web", rather a large
set of disconnected "islands" of signatures. I'm looking at the latest
keyring from MIT right now, and noticing that most of the keys are
either unsigned or self-signed. The majority of the rest have signatures,
but signatures that are unconnected to me via the web of trust, so that
they are entirely useless. I suspect that my situation is by far the
most common one: the only keys that I have any verifiable authentication
for are ones I've signed myself, or ones that are signed by people
in my immediate circle. The chain of signatures dies very close to me.
This isn't a criticism of PGP's key certification paradigm -- PGP allows
centralized certification (I see a few keys signed by SLED, for instance),
and it also allows me the flexibility of having mutual certification within
the circle of people I mail regularly. But web of trust _in and of itself_
is not proving to be effective when applied to the problem of providing
reliable key certification on the scale of the internet as a whole.
-- Will
Return to February 1995
Return to ““W. Kinney” <kinney@bogart.Colorado.EDU>”