[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: V5 signatures

In <v04003a03b390ad882d32@[]>, on 06/18/99 
   at 07:17 PM, Jon Callas <jon@callas.org> said:

>At 5:47 PM -0700 6/18/1999, hal@finney.org said:

>   Couldn't this be done though by simply defining a data packet format
>   as for any other protocol, then signing the data packet?  I don't see
>   any inherent reason why all authenticated data must go in sig packets.
>   Sigs authenticate the data packets they sign, so anything in those
>   packets is as strongly authenticated as the contents of the sig

>Sure. It can be done that way, too. The advantage of doing it in a
>signature packet is that it is a self-describing object with a tag and a
>length. It's useful.

I really don't see it as any more useful than doing it as hal describes
but things like pgp ticket are not my concern as they fit within current
restraints of V4 signatures (which IMHO are overly complex). My concern is
when the legal depts get the bright idea to add several pages of legalese
to every signature to let the world know that their signatures are really
worthless (al la S/MIME). If we design a V5 signature format that can
accommodate 1Mb of data to be stuffed into a signature, you can bet some
idiot will start generating 1Mb signatures.

IMHO we should keep the signatures nice and simple (and most importantly
small) and leave the data in the literal packets where it belongs. I think
that we, as protocol developers must always stay vigilant against feature
creep. PGP started out as a simple, rather elegant, program to encrypt &
sign e-mail message. Both the OpenPGP protocol and NAI's corresponding
application have dramatically increased in size and complexity, yet
surprisingly (or less surprising for the more cynical of us) it does
relatively little more than the original program and protocol did. 

William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)