From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 12 Sep 95 03:29:50 PDT
To: gjeffers@socketis.net (Gary Jeffers)
Subject: Re: PGP in UK - snooped as unSTEALTHed?
In-Reply-To: <199509121021.FAA22455@mail.socketis.net>
Message-ID: <199509121029.GAA15937@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Gary Jeffers writes:
>    Well, I just used MIT's PGP 2.6.2 with 3 different users' public
> keys to encrypt 3 different files. In all 3 files, the first 3
> characters were the same (an umlauted A, then an i with an up arrow
> over it, and then a heart). This beginning 3 character string is
> apparently the infamous PGP RSA signature. The signature that says
> to spooks' programmed encryption sniffers - "HEY! I'M PGP -  GIVE ME
> A LOOK!."

As if they couldn't figure it out anyway. It isn't an "RSA signature"
by the way. Read format.doc sometime.

>    When are the PGP designers and coders going to get serious and de-
> velope STEALTH PGP inside PGP itself!?

Never, I hope. It would dramatically lower the utility of the
system. Can you imagine how disgusting it would be to try decrypting
something if you have a dozen keys outstanding? Not to mention how
hard it would be to deal with figuring out that you should even try to
decrypt things in the first place.

>   So what, -that "only a few companies" will be discovered to be using PGP
> through the RSA signature!? Those few companies are the seeds for the
> vast numbers of companies that would follow them in using PGP over the
> Internet. The RSA signature is the flag that allows the spooks to easily
> net the bold first companies. The RSA signature is greatly impeding the
> spread of PGP use over the Internet. PGP MUST BE STEALTHED!!

It isn't an RSA signature. Its a bunch of magic numbers.

Look, get real already. If someone sees a bunch of random numbers in
mail sent by me, its going to be pretty obvious what the hell is
inside anyway.

I very much see this whole thing as a non-issue.

Perry