Miscellaneous questions
Herbert Furting
lhshas at googlemail.com
Tue Apr 15 15:21:26 CEST 2008
On Tue, Apr 15, 2008 at 3:03 PM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
> One of the best techniques available to us for controlling complexity in
> software--and definitely the simplest--is to take a chainsaw to the
> feature list. Go through the specification and copy down every single
> MUST. Stop right there. Implement the MUSTs, make them rock solid
> reliable. Only then allow yourself to start worrying about SHOULDs and
> MAYs.
I thought gpg already implements the MUSTs very well (ok sometimes
there are security problems but this will probably never go away with
any software).
> > Apart from that I had some discussions with Christoph and we both think,
> that the RFC should be much stricter, especially in what is required.
> Bring it up with the working group.
He's still writing ;-)
> I know of at least one major telco which was, for a while, using OpenPGP
> to secure billing information on a national level. That was some years
> ago, though, and they may have changed their system since. (Due to NDA,
> I'm unable to disclose the telco name.)
Unfortunately I see a general trend to use the simpler but weaker
hierarchical model of X509.... :-(
Like the German national authorothy for digital signatures.... they
only offer X509.
btw: Some time ago I've asked them where I could met one of their
officials to securely get the root certificate...they told me that
this is not possible, and that the root certificate is only available
via an ldap server... LOL
(You must know,.. in Germany there are no man in the middle attacks,
so this is actually secure *G*)
> > And for your specific example, no one forces the insurance company or
> > the bank to use the newer versions/features.
> Except for people like you, who say "it's not hard to upgrade GnuPG, so
> there's no reason to be concerned about interoperability with old
> versions".
Why? Just because new (perhaps incompatible) features are added in
newer versions,... nobody has to use that newer versions, right?
Best wishes,
Herbert.
More information about the Gnupg-users
mailing list