[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: why pgp sucks




Derek Atkins says:
> > Unfortunately, the current PGP practice of using only numeric key-ids
> > in message packets makes it hard to do this -- sigh. I hope that
> > the next version of PGP changes this.
> 
> I doubt PGP will change this in the near future.  That would require a
> major packet format change, and would not be anywhere near backwards
> compatible.  
> 
> I dont consider this to be a big problem.

I do. It means that I can't use PGP for IPSP key management -- period.

> If you limit key lookups in the database to be lookup on userID
> only, that solves your database problem.  As for the keyID->userID,
> well, this would only be required to _verify_ a signature.  In that
> case, you know who sent the message to you so you can ask them for
> the key.  When you want to encrypt to someone, you already know to
> whom you want to encrypt, so the same thing applies.
> 
> I don't see the problem!

Sorry, but I see the problem. If I want to follow an arbitrary chain
of signatures, check arbitrary signatures, etc, I'm forced to go
through kludges or worse. I don't see it as acceptable to just ask
someone for their key, either.

Perry