Re: why pgp sucks
"Perry E. Metzger" <perry@imsi.com> writes:
I'll also note, yet again, that unless PGP quits this bad practice of identifying counterparties only by a number, it is NOT going to be universally deployed. Counterparties need to be identified by a name that can be looked up in the DNS -- meaning "joe@foo.com" rather than some key ident number.
PGP of course looks up keys by strings in addition to numbers. A widely accepted practice is to use <joe@foo.com> in the user ID which allows the lookups to be by internet address. PGP was intended for use beyond the internet, such as in bbs's, fidonet, corporate networks, etc., where DNS style addresses may not be useful.
I would prefer that PGP would not give out ANY info about addressees. It would seem to me that it is quite a security breach to have PGP dutifully tell you to whom it is addressed. ************************************************************ * Just your basic signature block * * * * Al Thompson * * Fidonet 1:231/110 * * alt@iquest.net * ************************************************************
alt@iquest.net (Al Thompson) writes:
I would prefer that PGP would not give out ANY info about addressees. It would seem to me that it is quite a security breach to have PGP dutifully tell you to whom it is addressed.
PGP could be hacked fairly easily to do this (in fact there is a program around called stealth that does this to some extent), however in the context of this discussion we were discussing more the issue of checking the signature on a file. For that we do need a hint about whose signature purports to be there. PGP presently provides this in the form of the low-order 64 bits of the key modulus, and this provides problems in implementing the key database in distributed form. Hal
participants (2)
-
alt@iquest.net -
Hal