[linux-elitists] RFC 2015 (MIME and PGP) -- RFC status?

Aaron Sherman ajs@ajs.com
Mon Mar 12 20:24:00 PST 2001


On Mon, Mar 12, 2001 at 04:16:08PM -0800, Aaron Lehmann wrote:
> On Mon, Mar 12, 2001 at 07:03:57PM -0500, Aaron Sherman wrote:
> > Please feel free to have a look at http://www.ajs.com/~ajs/pps/ and
> > let me know if you have any comments. PPS is short for Passive Privacy 
> > System, and combines PGP encryption with passive key-exchange.
> 
> I like this. It doesn't really help for message signing becuase there is
> no way to trust keys that are not exchanged securely (a major flaw of
> PGP). But if the goal is not to establish my identity but to allow other
> people to send encrypted mail to me (whoever _I_ may be), including key
> fingerprints in a standard way is a good idea.

Actually, I've been trying to get my head around signatures.

Keys are not EXCHANGED securely in this system, but that does not mean
that they're useless for signing.

A compliant application could, for example, provide you an interface
for turning on automatic signing of messages. These signatures would
be as reasonable as any other. Verifying the signatures could be done
automatically too.

The problem is that on the receiver side, this brings up the question
of whose key you REALLY have. You can confirm the key out-of-band
(e.g. the way Debian does it), but many people will be tempted to
think of an unverified key's signature as valid.

Some more thought will be in order, and perhaps signatures will be
part of a related, but separate specification.

-- 
Aaron Sherman		
ajs@ajs.com		finger ajskey@b5.ajs.com for GPG info. Fingerprint:
www.ajs.com/~ajs	6DC1 F67A B9FB 2FBA D04C  619E FC35 5713 2676 CEAF
 "Do you come from a land downunder, where beer does flow and the
  men chunder?" -Men at Work



More information about the linux-elitists mailing list