From: Bryce Wilcox <wilcoxb@nagina.cs.colorado.edu>
Date: Wed, 19 Jul 95 10:44:59 PDT
To: cypherpunks@toad.com
Subject: "Hey Phil!  Stop telling people *not* to use PGP!"  (plus: "help me with my PGP problems!")
Message-ID: <199507191744.LAA04117@nagina.cs.colorado.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

[I posted the following to alt.security.pgp and sci.crypt.  -Bryce]


(If you don't want to help with my problems, skip to "Zimmermann needs to 
change pgpdoc1.txt" at the end.)


First, I am trying to communicate with a fellow who refuses to upgrade to
PGP2.6 because if RSA (as opposed to RSAREF) was good enough for Phil
then it's good enough for him!  Assuming for the moment that convincing
him to upgrade is not feasible, isn't there a hack by which I can interoperate
with him?  He's using 2.3a and I'm using 2.6ui, 2.6.2, 2.6.1 and 2.6.
(More on that later...)
  I can hack the C code if that is what is necessary to interoperate.


Second, I am using several public keys and several different versions of
PGP because I work from various computers with various levels of security.
That is: when I am in the University's computer lab I use one key <617C6DB9>
and the University's 2.6.2 but when I am on my home computer I use another
<148A11E5> and my linux PGP 2.6.1 (I'm going to upgrade it any day now...).
I also have a couple of other keys with "Bryce Wilcox" in the User ID field
for other uses.
  The problem/gripe is that whenever I try to manipulate public keys on
my keyring, PGP grabs the first one with User ID "Bryce".  How do I extract,
edit, sign, etc. the *other* "Bryce" keys on my public keyring.  I tried
giving PGP the Key ID, which seemed like the most reasonable user interface
to me, but that didn't work.


Third, how do I set those "PGP-Note" strings that appear in some people's
PGP Signature Blocks?



And lastly, a gripe.  Zimmermann's "pgpdoc1.txt" needs to be changed.

Let me explain:  I am in the (long, drawn-out) process of trying to convince
my friends and family members to use PGP.  The first hurdle is that it is
a pain in the butt to use, and they are not going to use it if it means they
have to learn a handful of Unix commands and spend 30 seconds screwing with
it every time they want to send mail.  But that isn't the subject of this
gripe.

  The second hurdle manifests when I send them a copy of "pgpdoc1.txt".  They
start browsing through it and come upon "NEVER EVER use PGP on a remote,
multi-user system.  It wouldn't have maximum security in that situation."
  They say "Oh, well I guess I can't use it then because damned if I'm going
to upload and download all of my mail at 1200 baud just so Bryce will quit 
bugging me about this PGP thing."
  So I say "No no no, using it on a remote system is still better than
nothing.  Just be aware that it is easier to crack your secret key when
you use it there than if you kept it on your home computer."

  So they go back to reading "pgpdoc1.txt" and it says "NEVER EVER use a
public key which was sent to you through the Net.  It could be tampered with."
  So they say, "What, I have to make a long-distance phone call to Cousin Joe
in Israel before I can send him a 'Happy Birthday' message using PGP?  Why
bother?"
  And I say "No no no, using a key which you got through the Net is better 
than using no key at all, just be aware that if someone *really* wanted
to spy on you that they could have tampered with it.  When you see Cousin
Joe next Christmas you can compare keys with him and make sure you have the
right one."

In short, pgpdoc1.txt needs to quit saying "NEVER EVER use PGP in other than
MAXIMAL SECURITY situations" and start saying "If you want MAXIMAL security,
do it this way, and if you are satisfied with lesser security, here are
other options."



I am fond of saying that we PGP enthusiasts have two choices ahead of us
within a couple of years:  either 5,000 enthusiasts using PGP with
MAXIMAL SECURITY at all times, or 5,000 enthusiasts with MAXIMAL
SECURITY and 10,000,000 computer-illiterate e-mail users using PGP with
push-button interfaces and multi-user remote systems.


The important thing, of course, is the easy-to-use, e-mail-integrated
software (version 3.0, I hope?), but it would also help if Zimmermann's
PGP Doc didn't tell those computer-illiterates to either "become enthusiasts
or don't use it."


Bryce
signatures follow

    /=============------------             URL of the Day:  DigiCash bv
     Bryce Wilcox,  Programmer       The currency of the future!  Give me a
     bryce.wilcox@colorado.edu       cyberbuck because I gave you this URL:
     ------------=============/              http://www.digicash.com/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMA1EKPWZSllhfG25AQHzPAP+MB/JLhN+Un9yVXRv5fejb297YONynlPF
EXxN6L7OwcD4q9XE23XdlutlQbAoK2tKbBLjTYat7s/t53W+jpCyKOChN7zn4V+I
bdAu8TKE4IG9a7fzxK0jqcpHBWqU2SaRxpaPEKl7HXbtFJxdKqn1n/M7INPJxF2w
/JsyZom8gmk=
=Tzje
-----END PGP SIGNATURE-----