[linux-elitists] GPG luser rant

Seth David Schoen schoen@loyalty.org
Fri Apr 13 12:58:01 PDT 2001


Karsten M. Self writes:

> on Fri, Apr 13, 2001 at 11:50:11AM -0700, Rick Moen (rick@linuxmafia.com) wrote:
> > begin  Karsten M. Self quotation:
> > 
> > > Better yet, if folks actually *do* get GPG installed on their systems,
> > > when there comes a need to send private mail, the option to go encrypted
> > > exists.  We're shooting for a baseline state in which a presumption of
> > > the presence of cryptographic infrastructure is valid, and the ability
> > > to originate, receive, and validate such communications exists.
> > 
> > Yes, I certainly see the point.  
> > 
> > I wish it were not the case, but there are not yet very workable
> > real-world systems for distributing, managing, and revoking keys --
> > PKI/certificate authority or web-of-trust models are both problematic
> > in those areas if you aim for both day-to-day practicality and
> > meaningful authentication.  Much as I would like to hope that these 
> > are early implementation issues that will be ironed out, the worst of
> > them appear essential to the authentication models concerned.
> 
> There is a distributed public keyserver network.  This seems to work
> reasonably well from a data distribution standpoint.  I'd be interested
> in knowing what specific problems exist with it.
> 
> Revocation seems to be the real nit.  There isn't an analog, AFAIK, in
> the PGP model to a "revokation signature".  That is, signing a key to
> say "I know this key and it is false, invalid, or revoked".

How about a revocation certificate?

gpg --gen-revoke

They used to be called "key compromise certificates" in some
connections.  You generate one for yourself, and then you keep it
somewhere where you can get it if your key is lost or compromised.  In
that case, you send it out.

Keyservers can deal with distributing key compromise certificates.
But (as with much else in the PGP world) most users don't understand
them or what they mean.

-- 
Seth David Schoen <schoen@loyalty.org>  | And do not say, I will study when I
Temp.  http://www.loyalty.org/~schoen/  | have leisure; for perhaps you will
down:  http://www.loyalty.org/   (CAF)  | not have leisure.  -- Pirke Avot 2:5



More information about the linux-elitists mailing list