From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Fri, 19 Nov 93 17:34:44 PST
To: cypherpunks@toad.com
Subject: PRZ on Pseudospoofing
Message-ID: <9311200133.AA27198@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


Mr. Zimmermann gave a fantastic talk yesterday to a packed house at a
Boulder (CO) Unix meeting. I really am extremely depressed that none of
the CA cypherpunks showed up (NOT! <g>). He talked about the complex
issues associated with his program. He's opposed to the Internet PEM
standard because it is a weaker standard than PGP in the sense that it
has a standard initialization vector, exposes recipients & senders of
messages in plaintext (if I'm not mistaken, sorry, I'm not an expert
but do play one on the cypherpunks list). 

Interestingly, he said that he thought that RSA was somewhat afraid of
him because (according to an insider) they didn't want to confront his
`folk hero' status. Mr. Zimmermann also had many comments on America as
a police state.

Unfortunately, I missed most of the talk because I am rather feckless
in real-world navigation vs. cyberspace and had a difficult time
zeroing in on the meeting geography coordinates (hee, hee). I would
have taken copious notes that would have shamed the best CA cypherpunk
and reported them wholesale if I had got there in time. I would be
interested in hearing anyone else's impressions of the meeting.

Mr. Zimmermann appeared to be somewhat sympathetic to my concerns about
pseudospoofing, particularly on the part of cypherpunks. He entertained
my suggestion of `signature revocation certificates' that would spread
virus-like to revoke trust through the `web of trust' when someone
realized they had been spoofed (betrayed). He seems to think that as
long as everybody follows the guidelines in the PGP documentation, the
`web of trust' would not really ever be corrupted. But he seemed to
come around in thinking that a `signature revocation certificate' might
lead to a more dynamic and responsive (and hence pure) web of trust.

An audience member asked Mr. Zimmermann if his arrangement with
ViaCrypt and licensing of RSA patents was `making stronger' RSA Inc.
and (implicitly) their stranglehold lock on public key patents. He
replied that the agreement actually made PGP stronger.

BTW don't `harass' Mr. Zimmermann over any features, at least don't
expect to see major revisions soon, they are all on the top of the
queue while he is in the `promotion of Viacrypt' stage vs. the `major
development and feature push' stage.


===cut=here===

To: prz@acm.org
Subject: a simple question
Date: Wed, 17 Nov 93 22:11:31 -0700
From: "L. Detweiler" <ld231782>

[Some] cypherpunks have made it clear to me they condone, and perhaps widely
practice, the following scenarios related to PGP:

1) real people signing imaginary identity's keys. I.e., I could make up
different identities (pseudospoofing) and sign their identities, and
have others sign these identities.

2) putting imaginary identities on the key servers. 

do you have some kind of opinion on these practices? they seem rather
dishonest to me, to say the least. But what do I know?

Subject: Re: a simple question
To: ld231782@longs.lance.colostate.edu (L. Detweiler)
Date: Thu, 18 Nov 93 1:39:13 MST
From: Philip Zimmermann <prz@acm.org>

It's not something I would do myself.  It strikes me as having 
potential to lead to bad situations, as you have described in
earlier notes.  I prefer to deal with people only as my real self.
It strikes me as unethical if used in fraudulent ways.

That's my opinion.

[...]

Regards,
Phil