From: John Gilmore <gnu@toad.com>
Date: Thu, 27 Jul 95 11:05:16 PDT
To: cypherpunks@toad.com
Subject: Allan Schiffman on SHTTP removing PGP support
Message-ID: <9507271805.AA27155@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


I asked Allan, who spoke on S-HTTP at a recent BayFF meeting, about
this.

Date: Tue, 25 Jul 95 20:02:12 PDT
From: ams@eit.COM (Allan M Schiffman)

Its true, the most recent draft of the S-HTTP spec depreciated
(that is, dropped) support for PGP encapsulation.

Eric and I did this because we:
	1) Hadn't implemented PGP support ourselves.
	2) Knew of no other S-HTTP implementation which did (we know of
	   three other S-HTTP implementations).
	3) Were unsatisfied with the formalization of PGP encapsulation
	   format (as opposed to the behavior of a particular program).
	4) Realized that our spec didn't permit implementation given
	   our lack of support for PGP name forms and keying materials.
	   An alternative to dropping PGP would have been to fix this,
	   but we didn't have the time (or the motivation, given 1-3 above).

That doesn't mean "X.509 all the way" for S-HTTP, by a long shot. We
have publically committed (at the IETF WTS WG last week) to support
MOSS, with all its name forms and keying materials. The next draft of
the spec will detail how to do this, probably emphasizing the use of
new key management mechanisms made possible by Secure DNS.

For what its worth, I'm no fan of X.509, although I'm on record as a
believer in "multiply-rooted qualified hierarchical trust" (which
presumably classifies me as an "anal hierachy fan").

-Allan