[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] Opening up the debate on PKI / WoT / future of OpenPGP



To the extent that this is not openpgp specific, we have an
occasionally active list (therightkey@xxxxxxxx) for topics
like that. So far though, I don't think anyone's gotten much
traction for anything on that, with the exception of CT that
turned into RFC6692 and now the trans WG. But if you want a
generic discussion of "whither now PKI" that is probably the
most appropriate IETF list. (Non-IETF lists might also be
appropriate too, depending on what you want.)

If you want an openpgp-specific discussion, that it'd be this
list, even if it's not so likely that a new WG would work on
that, or at least anytime very soon. (That's based on the
responses we got for doing "option 2" etc.)

I'm not clear if you wanted an openpgp specific discussion
or not though. (And the subject line combined with your
mail saying "I'm not saying I want to open up the debate"
also puzzled me mightily;-)

S.

On 16/04/15 14:31, ianG wrote:
> So, the OpenPGP world has always separated policy from tech.  It has in
> effect kicked policy upstairs to the people.  Hence the key signing
> parties and the discordance between signing meaning "I saw a passport"
> versus "I saw a person".  This we all agreed was the smart thing to do.
> 
> However, Jon's revelation of yesterday really changed everything for me
> at least:
> 
> 
>   > When 2440 started, there was an agreement with the Security
>   > Area that OpenPGP would not be a "PKI" (whatever the heck
>   > that means), because there was already a PKI, namely PKIX.
> 
> 
> This thread (below) is about PGP as "a PKI" in a world where we are used
> to (up against) "the PKI" or incumbent x.509/CA.  Now that we're
> watching the slow burning sunset of "the PKI," and, now that we're
> looking at a whole new generation of usage for PGP (*), it may become
> more clear that we might have to revisit this.
> 
> 
> 
> Context:  I'm not saying I want to open up the debate.  My context is
> that I'm already doing it.  In effect <advert> I abandoned OpenPGP 2
> years back so that I could build my own PKI to suit my today's
> requirements </advert>.  To add further flesh to that, PHB is doing the
> same.  Jon will also have something to say on this, and others...
> 
> In short, the reality is that PKIs are evolving around us, so the
> question is not whether to do it, it's already happening.
> 
> The question is whether to bring it back in house?
> 
> 
> iang
> 
> 
> 
> (*) to explain "new generation" a bit.  OpenPGP is a legacy product that
> deals with some niche use cases.  In order to make it move forward, and
> in order to justify putting the rather huge shared resources into a new
> update, it would be nice to kick it forward to the current level of
> understanding ... so that if finds a whole new user base in the 2020s
> world (aiming ahead).  I'm not saying what that is, just making a
> comment about market development.
> 
> 
> On 16/04/2015 13:58 pm, Christoph Anton Mitterer wrote:
>> On Thu, 2015-04-16 at 12:13 +0200, Werner Koch wrote:
>>> On Thu, 16 Apr 2015 10:32, look@my.amazin.horse said:
>>>
>>>> Can someone explain why key usage and preference flags for the primary
>>>> were made part of user id signatures instead of a direct key signature
>>>
>>> Note that you may put them into a direct key signature.
>>>
>>> Assume you use the same key for home and work.  You have two user ids
>>> but at home you use an implementation and preferences you like while at
>>> work you have to comply with company policies and thus different
>>> preferences.
>> This has however some problems, which I've mentioned already in my
>> initial wishlist.
>>
>> - Nothing of this is really specified. One *may* interpret the standard
>> that it is as you say above.
>> - There is nothing specified that would resolve ambiguities (what if
>> there's both, direct-key signature and user id sig, setting the same
>> subpackets but with different properties)?
>>
>>
>>> Right, that is a bit artifical and for example gpg uses a direct key
>>> signature or the latest user id to get the key flags and preferences.
>>  From the standards PoV, the same problem as above... nothing really
>> specified what it means if e.g. flags are on a user sig or on a direct
>> key sig.
>> IMHO flags should anyway be immutable.
>>
>>
>>
>>> Remember that you anyway need to implement a policy on how to work with
>>> multipe self-signatures on the same user id, or with multiple direct key
>>> signatures.
>> The standard didn't even specify that newer sigs would replaces older
>> ones, right?
>>
>> IMO all quite fuzzy and vague... :(
>>
>> Cheers,
>> Chris.
>>
>>
>>
>> _______________________________________________
>> openpgp mailing list
>> openpgp@xxxxxxxx
>> https://www.ietf.org/mailman/listinfo/openpgp
>>
> 
> _______________________________________________
> openpgp mailing list
> openpgp@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/openpgp
> 
> 

_______________________________________________
openpgp mailing list
openpgp@xxxxxxxx
https://www.ietf.org/mailman/listinfo/openpgp