[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The case against redundancy and isolation

To: Ian Brown <I.Brown@xxxxxxxxxxxx>
Subject: Re: The case against redundancy and isolation
From: Jeremey Barrett <jeremey@xxxxxxxxxxxxx>
Date: Sun, 23 Nov 1997 14:23:43 -0800
Cc: IETF OpenPGP <ietf-open-pgp@xxxxxxx>
In-reply-to: <>
Organization: BlueMoney Software Corp.
References: <> <> <> <> <> <> <> <> <> <>
Sender: owner-ietf-open-pgp@xxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----

Ian Brown writes:
 > > No, Armor doesn't effect the
 > > security of PGP itself, but it does affect how OP products will or
 > > can be used in the "real world" and therefore affects the "level of
 > > security provided by" the PGP system. (if noone used PGP, PGP is still
 > > secure, but the system is not because it isn't used).
 >  
 > Jeremey, you are trying to redefine the meaning of "security of a
 > system". I have never read any security literature which says, for
 > example, "DES is more secure than IDEA because it is more widely
 > used."

Certainly not, I do not mean that PGP is "more secure" because it has
ASCII armoring capability (I thought I made this clear in that
paragraph). 

What I mean is that a communications security system benefits from
wide deployment and use. Re-designing the system in ways that render
previous versions incompatible does not promote security. If there
is a compelling reason to change it (for instance if past versions
had protocol flaws, etc) then so be it, but I see no such reason here.
All I see is 'standardization'. One can provide countless examples
of standardization gone haywire (S/MIME, ASN.1, X.509, SET, etc.) and 
it does not always serve the end goal.

I absolutely agree that support for MIME is important, MIME is a
standard that is widely used. My argument is simply that ASCII armor
is not a transport issue, rather it is an important functionality of
PGP itself.

 > Taking Jon's point: is the ability to do armour critical to an OP
 > implementation on a smartcard, used for example to authenticate a user
 > at login?
 > 

Probably not, I can't see a case where it would be used. This is a 
good point, and makes a strong case for making ASCII armor a SHOULD 
and not a MUST. I wonder how feasible 100% compliance with OP is on 
a smartcard at all, with or without ASCII armor. Unfortunately, I 
think ASCII armor should be a MUST in almost every other case. Hrm.

Jeremey.
- -- 
Jeremey Barrett                                BlueMoney Software Corp.
Crypto, Ecash, Commerce Systems               http://www.bluemoney.com/
PGP key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNHis6S/fy+vkqMxNAQHdyQP6A+TTgJS/YkroErIs+GMOXh0VT8pofpgQ
4JJG4N17ix1t8jLzylMILxhLoKbB+EIV0hIyRdolhLOfptvroEATqUVeOKft1M6s
NWwzMwdTexp2S3qV9w1YMkigGCvhX6dQZsHmJ3K+OAFBMiOxQz/g96pJ2cm7e03S
7KO+NTsHZgM=
=95Bz
-----END PGP SIGNATURE-----

References:
- The Case Against MIME
  - From: William H. Geiger III
- Re: The Case Against MIME
  - From: Jeremey Barrett
- Re: The Case Against MIME
  - From: Ian Brown
- The case against redundancy and isolation
  - From: Dave Crocker / IMC
- Re: The case against redundancy and isolation
  - From: Jeremey Barrett
- Re: The case against redundancy and isolation
  - From: Thomas Roessler
- Re: The case against redundancy and isolation
  - From: Jeremey Barrett
- Re: The case against redundancy and isolation
  - From: Ian Brown
- Re: The case against redundancy and isolation
  - From: Jeremey Barrett
- Re: The case against redundancy and isolation
  - From: Ian Brown

Prev by Date: Re: hand huffman encoding at PGP world HQ
Next by Date: Interoperability Policy of PGP Inc Clarified
Previous by thread: Re: The case against redundancy and isolation
Next by thread: Re: The case against redundancy and isolation
Index(es):
- Date
- Thread