[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP evolving, improving

To: uri@xxxxxxxxxxxxxx
Subject: Re: PGP evolving, improving
From: Adam Back <aba@xxxxxxxxxxxx>
Date: Tue, 25 Nov 1997 02:33:45 GMT
Cc: david@xxxxxxxxxxxxxx, ietf-open-pgp@xxxxxxx
In-reply-to: <9711241626.AA70184@xxxxxxxxxxxxxxxxxxxxxx> (message from Uri Blumenthal on Mon, 24 Nov 1997 11:26:17 -0500 (EST))
Sender: owner-ietf-open-pgp@xxxxxxx

Uri Blumenthal <uri@xxxxxxxxxxxxxx> writes:
> > > b. There have been no practical cases of signature spoofing with MD5--it
> > > hasn't been broken.
> > 
> > I agree, in the general case it has not.  I'll discuss a better
> > user migration path below.
> 
> Excuse me, gentlemen, were there any practical cases of signature
> spoofing with MD4?
> 
> Also, since this is an IETF forum, let me remind you,  that the
> official IETF security guideline is: "For all the new standards
> MD5 shall not be used - but SHA-1".

MD5 is in the draft as a MAY.  You want to change that to a MUST NOT?

I don't think the situation with MD5 is serious enough currently to
warrant the loss of backwards compatibility as an implementation
option.

> However, as an algorithm starts showing cracks, a cryptographer with
> brains replaces it before the "practical" cases start piling up.

Of course, that much is a given.

Where we came in to this discussion was that by having backwards
compatibility more people migrate to new algorithms more quickly.

> Well, the only compatibility concerns that *I* have as a user are
> related to the broken *interface*. I.e. I APPLAUD the move to DSS
> and EG (would like to see ECC too, BTW) - but I absolutely hate
> the fact that I can no longer use Mailcrypt-3.4 from XEmacs.

Well I use mailcrypt also, so I can share on that one.  However I keep
getting emails from people with pgp5.x which are addressed to my RSA
key, and yet which pgp2.x simply can't read.  I think this must either
be the bug Hal described, or people are signing the message with a DSS
key which I thought pgp5.x was supposed to warn against when the
recipient is using an RSA key.

> > Now the discussion of a better migration path.  It seems to me that a
> > nice thing to do would be to generate two keys at key gen time: an RSA
> > key and an DSS/EG pair.
> 
> What if I *don't* want to generate RSA keys. Why cramming those down my 
> throat? Make it possible to geterate DSS *or* DSS+RSA, if you REALLY
> insist...

Default operation.  Same as you get a default operation with pgp5.x of
using cooked primes.

> > Largely transparent interoperability on all versions
> > would I suspect paradoxically have meant many more people made the
> > switch.
> 
> Yes and no. Of course transparency will help. HOWEVER, many of PGP
> users have either no time, or no skills (or "no" both) to modify
> the software that interfaces between their favorite whatever
> and PGP. For me it is Mailcrypt/XEmacs. Until *that* part
> is taken care of - don't expect people to switch.

I think mailcrypt users are small in number.  We should ask Pat
LoPresti if he wants to hack in pgp5.x support.

Adam

Follow-Ups:
- Re: PGP evolving, improving
  - From: Uri Blumenthal
- Re: PGP evolving, improving
  - From: Jeremey Barrett

References:
- Re: PGP evolving, improving
  - From: Uri Blumenthal

Prev by Date: Sternlight Drivel
Next by Date: PGP Implementor's survey
Previous by thread: Re: PGP evolving, improving
Next by thread: Re: PGP evolving, improving
Index(es):
- Date
- Thread