lcs Mixmaster Remailer wrote:
> This is in contrast to the practice in the X.509 PKI, where a root CA
> has the ability to delegate trust as far as it wishes.
This is not correct. In X.509 it is the verifier that defines how that
is accepted and to how many levels, irrespective of what was sig
A common misconception about the PGP web of trust is that trust flows
through the web along the signatures. Actually, PGP's trust model is
founded on the principle that "trust isn't transitive". A signature
is never trusted in PGP unless the user has explicitly indicated that
he personally trust
On Wed, Sep 06, 2000 at 11:50:17AM -0400, Derek Atkins wrote:
> Ray Dillinger <[EMAIL PROTECTED]> writes:
>> I have long felt that PGP missed a trick when it didn't have
>> automatic expiry for keys -- It should be possible to build
>> into each key an expiration date, fixed at the time of its
At 08:45 AM 9/4/00 +0200, Jaap-Henk Hoepman wrote:
>What's wrong with the PGP wrappers for Outlook or Eudora? They looked quite
>usable and user friendly to me - as far as any secure email product could
ever
>be completely be user friendly... The user has to do more stuff than
usual, and
>has to h
At 9:01 AM -0700 9/3/00, David Honig wrote:
>I didn't make myself clear. I meant that PGP is perfectly useful
>*without any keyservers*. I am in *favor* of people not publishing
>their keys, except maybe if you were a business and *wanted* cold-calls
>[1]. Sort of like a front-office line and a
At 4:38 PM -0700 9/5/2000, David Honig wrote:
>At 05:33 PM 9/3/00 -0400, Dan Geer wrote:
>>
>>> How do they exchange public keys? Via email I'll bet.
>>
>
> >Note that it is trivial(*) to construct a self-decrypting
> >archive and mail it in the form of an attachment. The
>>recipient will mere
> So I would prefer to work with a CA where it is not a *necessary*
> condition for a revocation.
Why would someone grabbing your red and blue disks compromise your
key? You have it encrypted, right? The encryption key is only
present in wetware, right? :'}
I generally don't think of "som
Ray Dillinger <[EMAIL PROTECTED]> writes:
> I have long felt that PGP missed a trick when it didn't have
> automatic expiry for keys -- It should be possible to build
> into each key an expiration date, fixed at the time of its
> creation. For shorter keys, it ought to default to expiring
>
RFC2440 (OpenPGP) provides for referral revocations -- you can let
other people revoke your key on your behalf.
-derek
Ray Dillinger <[EMAIL PROTECTED]> writes:
> On Tue, 5 Sep 2000, Ted Lemon wrote:
>
> >
> >If you sign the revocation certificate in the compromised key, then
> >the only way i
At 10:47 PM 9/5/00 -0400, Dan Geer wrote:
> I can tell people never to accept
>an executable mailed to them from anywhere, which will get
>laughed at by all the people in the business world who...
[...who are digging their own graves if they routinely run programs
mailed to them, whether or not
On Tue, 5 Sep 2000, Ted Lemon wrote:
>
>If you sign the revocation certificate in the compromised key, then
>the only way it can get revoked is if the owner of the key revokes it
>or it's been compromised...
>
> _MelloN_
This is true, and that's a *sufficient* condi
I'm still far from convinced that the Web of Trust achieves what it's
supposed to achieve, even when used correctly.
Consider this question: what do you need to know about a person in
order to feel confident that they are the intended recipient of your
secure communication? Because I bet the a
Ray Dillinger wrote:
>
> On Tue, 5 Sep 2000, David Honig wrote:
>
> > The more hard-core distribute keys to previously known
> >parties on physical media, only.
> >
>
> I have long felt that PGP missed a trick when it didn't have
> automatic expiry for keys -- It should be possible to build
>
If you sign the revocation certificate in the compromised key, then
the only way it can get revoked is if the owner of the key revokes it
or it's been compromised...
_MelloN_
On Tue, 5 Sep 2000, David Honig wrote:
> The more hard-core distribute keys to previously known
>parties on physical media, only.
>
I have long felt that PGP missed a trick when it didn't have
automatic expiry for keys -- It should be possible to build
into each key an expiration date, f
At 10:17 PM 9/5/00 -0400, P.J. Ponder wrote:
>
>
>On Tue, 5 Sep 2000, David Honig wrote:
>>
>> If you have a secure channel to exchange a passphrase in,
>> you have no need for PK.
>>
>
>Public key allows digital signatures,
A digsig does indeed rely on PK, but you needn't use digsigs
to use P
I said,
>Note that it is trivial(*) to construct a self-decrypting
>archive and mail it in the form of an attachment. The
>recipient will merely have to know the passphrase. If
>transit confidentiality is your aim and old versions
>of documents are irrelevant once the ink
Ed Gerck wrote:
> Even though the web-of-trust seems to be a pretty good part of PGP,
> IMO it is actually it's Achilles heel.
I agree with most comments but they seem to deal more with symptons. Let
me just clarify/justify the above and why I think this is IMO actually the root
cause of problems
On Tue, 5 Sep 2000, David Honig wrote:
>
> If you have a secure channel to exchange a passphrase in,
> you have no need for PK.
>
Public key allows digital signatures, which a secure channel for key
exchange doesn't provide. Two parties may choose to use symmetric
encryption for exchanging m
At 05:33 PM 9/3/00 -0400, Dan Geer wrote:
>
>> How do they exchange public keys? Via email I'll bet.
>
>Note that it is trivial(*) to construct a self-decrypting
>archive and mail it in the form of an attachment. The
>recipient will merely have to know the passphrase. If
If you have a secure
In message <[EMAIL PROTECTED]>, Dan Geer writes:
>
>> How do they exchange public keys? Via email I'll bet.
>
>Note that it is trivial(*) to construct a self-decrypting
>archive and mail it in the form of an attachment. The
>recipient will merely have to know the passphrase. If
>transit confi
Dave Del Torto wrote:
>
> At 11:14 pm -0400 2000-09-01, Russell Nelson wrote:
> >Ed Gerck writes:
> >>Even though the web-of-trust seems to be a pretty good part of PGP,
> >>IMO it is actually it's Achilles heel.
> >
> >Nope. Usability is its Achilles heel. PGP needs to be wrapped in
> >somethi
On Fri, 1 Sep 2000 23:14:06 -0400 (EDT) Russell Nelson <[EMAIL PROTECTED]> writes:
> Ed Gerck writes:
> > Even though the web-of-trust seems to be a pretty good part of PGP,
> > IMO it is actually it's Achilles heel.
>
> Nope. Usability is its Achilles heel. PGP needs to be wrapped in
> some
> How do they exchange public keys? Via email I'll bet.
Note that it is trivial(*) to construct a self-decrypting
archive and mail it in the form of an attachment. The
recipient will merely have to know the passphrase. If
transit confidentiality is your aim and old versions
of documents ar
Well put, Greg. I do think that a small circle of trusted
friends is a tautology -- if it is not small, it cannot be
trusted. Was it not ever thus?
--dan
At 09:56 PM 9/2/00 -0400, Arnold G. Reinhold wrote:
>At 3:48 PM -0700 9/1/2000, David Honig wrote:
>>At 09:34 AM 8/30/00 -0700, Ed Gerck wrote:
>>>
>>>BTW, many lawyers like to use PGP and it is a good usage niche. Here,
in the
>>>North Bay Area of SF, PGP is not uncommon in such small-group busi
At 3:48 PM -0700 9/1/2000, David Honig wrote:
>At 09:34 AM 8/30/00 -0700, Ed Gerck wrote:
>>
>>BTW, many lawyers like to use PGP and it is a good usage niche. Here, in the
>>North Bay Area of SF, PGP is not uncommon in such small-group business users.
>
>How do they exchange public keys? Via ema
At 11:14 pm -0400 2000-09-01, Russell Nelson wrote:
>Ed Gerck writes:
>>Even though the web-of-trust seems to be a pretty good part of PGP,
>>IMO it is actually it's Achilles heel.
>
>Nope. Usability is its Achilles heel. PGP needs to be wrapped in
>something, and yet it's not really designed to
Ed Gerck writes:
> Even though the web-of-trust seems to be a pretty good part of PGP,
> IMO it is actually it's Achilles heel.
Nope. Usability is its Achilles heel. PGP needs to be wrapped in
something, and yet it's not really designed to be wrapped. Even if it
were, PGP, Inc. changed the i
At 09:34 AM 8/30/00 -0700, Ed Gerck wrote:
>
>BTW, many lawyers like to use PGP and it is a good usage niche. Here, in the
>North Bay Area of SF, PGP is not uncommon in such small-group business users.
How do they exchange public keys? Via email I'll bet.
Bitpushing MDs should be another 'good
Greg Rose wrote:
> I was an early adopter of PGP, and put a lot of effort into advancing the
> Web of Trust. I use PGP actively on a daily basis. Nevertheless, I have
> been disillusioned for some time, and today's fun prodded me into writing
> this. Here is a list of things which I consider to
Nice note, Greg, thank you.
I remember the call to arms of PGP, get the whole world encrypting
email. And who can forget Gilmore's Free S/WAN goal, to secure 5% of
Internet traffic by the end of 1996? These proclamations were hugely
inspirational for me.
These efforts helped advance practical c
I've just had an interesting experience which has set me to thinking about
the usefulness of tools like PGP, including implicitly the Web of Trust,
Keyservers, and so on.
The situation that brought this to mind was a simple one. I wanted to
rejoin an association that I'd somehow lapsed from, m
33 matches
Mail list logo
