From: Mike Ingle <MIKEINGLE@delphi.com>
Date: Sun, 14 Nov 93 21:30:52 PST
To: cypherpunks@toad.com
Subject: True Name keys
Message-ID: <01H5BPPICLNM9EEVDF@delphi.com>
MIME-Version: 1.0
Content-Type: text/plain


"ld231782@longs.lance.colostate.edu"  "L. Detweiler" complains:

><sigh> nobody is interested in preventing pseudospoofing here. the
>people who have most maneuvered themselves into a position to aid
>future cyberspace are instead constraining it. that's the point, isn't
>it? gosh, how could I have been so blind...

Not true at all. I proposed a more secure method, signing of keys by
trusted certifiers, and JMDiehl said he'd look into implementing it.
Warlord said that he didn't like the idea of having a separate
network of keyservers for True Names, but that keys could be certified
as True Name keys. Nobody said that they opposed the idea of True Name
keys. Such certifications, especially if from multiple parties, would
be much more secure than a network of keyservers. Remember that these
exchange keys, and if you could hack one, you could put a phony key
into the loop.

JMDiehl: your service would be more widely trusted, and potentially
profitable, if you bought a copy of ViaCrypt PGP for legality and
charged a small fee for your services. If there is money and your
reputation at stake, people will assume you are going to be more
careful in checking keys, and they will trust your service more.
You don't want any kind of automation; you want to verify each one
before signing it.

Warlord: Is there any way to clean out old keys from the keyservers?
How about keeping track of when a key was uploaded, and killing them
after a year or so. If a person wants to keep a key active, he can
mail it to the keyserver again before the year runs out. The keyservers
are full of old, dead, and revoked keys, and the number will continue
to grow as more people use PGP. Present keys could be killed a year
from now, or whenever.

Detweiler: why don't you do it? You could advance your crusade and
make some money in the process. Start a service to certify keys.
If a key were certified by several services, you could be pretty
sure of its authenticity.

Everyone: is it possible to translate RIPEM keys into PGP keys?
Can the signature be kept intact? Is it possible to use Mac signer
keys for encryption as well as signing? Doesn't it seem just a bit
political that the Mac system has RSA for signatures and a symmetric
cryptosystem, but no public-key encryption? Maybe something could
be done about this, but I don't have a Mac to try it.

--- MikeIngle@delphi.com