1995-02-10 - Re: why pgp sucks

Header Data

From: “Perry E. Metzger” <perry@imsi.com>
To: Derek Atkins <warlord@MIT.EDU>
Message Hash: bc809c655aaa4e0dc5bfe39c06fae6d6b8a9968490204d9e5601aaf8d79acce9
Message ID: <9502102141.AA15657@snark.imsi.com>
Reply To: <9502102135.AA08054@josquin.media.mit.edu>
UTC Datetime: 1995-02-10 21:42:13 UTC
Raw Date: Fri, 10 Feb 95 13:42:13 PST

Raw message

From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 10 Feb 95 13:42:13 PST
To: Derek Atkins <warlord@MIT.EDU>
Subject: Re: why pgp sucks
In-Reply-To: <9502102135.AA08054@josquin.media.mit.edu>
Message-ID: <9502102141.AA15657@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



Derek Atkins says:
> > Unfortunately, the current PGP practice of using only numeric key-ids
> > in message packets makes it hard to do this -- sigh. I hope that
> > the next version of PGP changes this.
> 
> I doubt PGP will change this in the near future.  That would require a
> major packet format change, and would not be anywhere near backwards
> compatible.  
> 
> I dont consider this to be a big problem.

I do. It means that I can't use PGP for IPSP key management -- period.

> If you limit key lookups in the database to be lookup on userID
> only, that solves your database problem.  As for the keyID->userID,
> well, this would only be required to _verify_ a signature.  In that
> case, you know who sent the message to you so you can ask them for
> the key.  When you want to encrypt to someone, you already know to
> whom you want to encrypt, so the same thing applies.
> 
> I don't see the problem!

Sorry, but I see the problem. If I want to follow an arbitrary chain
of signatures, check arbitrary signatures, etc, I'm forced to go
through kludges or worse. I don't see it as acceptable to just ask
someone for their key, either.

Perry





Thread