[8180] in cryptography@c2.net mail archive
Re: Is PGP broken?
daemon@ATHENA.MIT.EDU (Enzo Michelangeli)
Sun Dec 3 21:44:01 2000
Message-ID: <00a701c05d9b$a7fcf1e0$6000a8c0@em>
From: "Enzo Michelangeli" <em@who.net>
To: <pgut001@cs.auckland.ac.nz>, <cryptography@c2.net>
Date: Mon, 4 Dec 2000 10:40:36 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
----- Original Message -----
From: "Peter Gutmann" <pgut001@cs.auckland.ac.nz>
To: <cryptography@c2.net>
Sent: Thursday, November 30, 2000 1:30 PM
Subject: Re: Is PGP broken?
> "Enzo Michelangeli" <em@who.net> (or someone, the quoting makes it
> difficult to tell)
Yes, that was me.
> writes:
>
> >If it may of any comfort (or perhaps enhanced desperation), the S/MIME
> >community has similar headaches: in these days, the ietf-smime@imc.org
> >list is
> >debating whether, in S/MIME v.3, RSA should be made a MUST algorithm
> >together
> >with, or in alternative to, DSS and D-H. At this moment (RFC2630) neither
> >RSA
> >nor RC2 are MUST, so interoperability is not guaranteed with v.2
> >agents...
>
> S/MIME interoperability is guaranteed because everyone ignores the
> RFC and does RSA and RC2 (for backwards-compatiblity only) and 3DES
> first and everthing else only if they have the time and/or budget.
For "S/MIME" I mean the two standards (v.2 and v.3), not its various
implementations (still largely based on v.2).
The truth is: with any standard, the fact that a version[N+1] lacks some of
the MUST's of the version[N] represents a bad omen for a successful
deployment. Now that the patent on RSA has expired, and that the export
control laws in the US have finally been relaxed, this issue should be
addressed. For PGP that will be more difficult due to the continuing
encumbered status of IDEA, but for S/MIME it could be fixed now.
Apart from standards issues, one thing I'd like to see added to popular
S/MIME agents is a mini-CA to issue self-signed certificates. This would
allow people to use S/MIME as they use PGP (who relies on the WoT anyway?),
breaking the dependency from hierarchical CA's. Creating such an agent would
be now a viable OpenSource project, without any need for expensive toolkit
licenses.
Enzo
