From: "Mark M." <markm@voicenet.com>
Date: Wed, 3 Jul 1996 14:40:31 +0800
To: "David F. Ogren" <ogren@cris.com>
Subject: Re: Lack of PGP signatures
In-Reply-To: <199607022343.TAA21050@darius.cris.com>
Message-ID: <Pine.LNX.3.94.960702230424.178A-100000@gak>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 2 Jul 1996, David F. Ogren wrote:

> I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr.
> Atkins) do not seem to PGP clearsign their messages to this list. In fact,
> a surprisingly small percentage of messages on the C-punk list are signed.
> This despite the fact that the average subscriber is at least literate in
> PGP.
> 
> Does anybody have any speculation on why this is?
> 
> Is it because people consider mundane mail unimportant enough to sign?

This is one reason.  I think that there are several other reasons:

 -- Someone may be using a machine at work or on a multiuser UNIX system which
    is untrusted and insecure.  In the case of a UNIX account, one could
    compose a message off-line and rz it using a term program, but that is a
    major hassle.

 -- Many email programs do not have support for PGP so signing a message often
    requires a lot of cutting and pasting.

 -- PGP may not work on the computer a person is using for Internet access or
    the system might be too slow to use PGP.
    
> 
> Is it because the members of this list are more concerned with encryption
> than authentication?

I think they are both equally important.  The point of public-key cryptography
is the ability to communicate with a person without having a secure channel to
exchange keys.  Once keys can be transmitted using the same medium used for the
encrypted traffic, it makes a MITM or denial-of-service attack much easier.
There has to be some out-of-band method to authenticate keys.  Without
authentication, a lot of the security that could be gained by using PK crypto
is lost.

> 
> Is it because most mail programs are not PGP aware?

I don't know of any mail programs that can use PGP (I know there are various
interfaces, sendmail wrappers, and other hacks, but I have yet to see a mailer
with an "Encrypt" or "Sign" option.

> 
> Is it because of the weaknesses in MD5?

Doubtful.  PGP authentication is better than no authentication.

- -- Mark

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
markm@voicenet.com              | finger -l for PGP key 0xe3bf2169
http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348
"Freedom is the freedom to say that two plus two make four.  If that
is granted, all else follows."  --George Orwell, _1984_


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMdnnBLZc+sv5siulAQEIpAP/WesfBknwJeUnNIZzYtLkJkqR7hMu2jYz
9migOABikpYDwe0H8Dfn34ff3bab5xncoJ7M8l0HmvrISMjeFp9DpKXT0yJ0rk7a
HymHCGyGpJXjQ+snbLoyEQbB4DzcE+BjihSM2upmIMhQbH3paEagc41VwL+udfVA
EsWUux6Yato=
=8SiH
-----END PGP SIGNATURE-----