1992-11-29 - Re: Secure key exchange

Header Data

From: edgar@spectrx.Saigon.COM (Edgar W. Swank)
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: 7f7fdec2eabc94968f64e6a546887c6e46c4161f808373a5fe02c8711a663df9
Message ID: <PBgyuB5w165w@spectrx.saigon.com>
Reply To: N/A
UTC Datetime: 1992-11-29 15:56:36 UTC
Raw Date: Sun, 29 Nov 92 07:56:36 PST

Raw message

From: edgar@spectrx.Saigon.COM (Edgar W. Swank)
Date: Sun, 29 Nov 92 07:56:36 PST
To: Cypherpunks          <cypherpunks@toad.com>
Subject: Re: Secure key exchange
Message-ID: <PBgyuB5w165w@spectrx.saigon.com>
MIME-Version: 1.0
Content-Type: text/plain


On Nov 26, Mark inquired about "secure" methods of exchanging public
keys.  Apparently the only really secure method is a physical transfer
face-to-face with someone you know; or to have a key certified by
someone you trust whose key you trust. [PGP has key certification
built-in; for other implementations, just digitally sign some form
of the key to be certified].
 
There is no secure method of exchanging public keys using only the
net.  As far as you know all your messages, both incoming and
outgoing, are being intercepted by a "spoofer" who will substitute
his public key for yours in all outgoing messages and another public
key of his for each unique public key intercepted in incoming mail.
 
A few methods were discussed on Extropians of trying to get a genuine
public key distributed by outsmarting the spoofer. But if the spoofer
is smarter than you, these methods will fail.
 
That leaves methods which exchange, or at least verify, keys by other
means than the network.  I proposed a service to verify keys by paper
mail and (optionally) telephone.  Here is an update of what I posted.
The offer is still good.
================================================================
I'd like to announce the opening of the Swank Public Key Verification
Service.
 
To become a customer, do the following.
 
1)On a piece of paper put:
 
   a)Your name and Network address.
   b)The "armored" ASCii form of your PGP 2.0 Public Key.
   c)(optional) Any other information you want to certify
     about yourself, such as:
      Home address.
      Mailing address (if different).
      Home phone number.
      Occupation-Work Phone-Work Address.
      "I am not a law enforcement officer or agent."
   d)"I certify the above to be true under penalty of perjury".
   e)A photocopy of your driver's license or other picture ID
     with signature.
     Actually this is a photocopy of all of the above with the
     ID on top of the original.
     [note: if you don't want to reveal your home address, you
     can cover that portion of your photo ID. Your name, photo,
     and signature must show]
   f)Your signature. (NOT photocopied)
   g)(optional). have the paper notarized.
 
2)E-mail to me
   edgar@spectrx.saigon.com (Edgar W. Swank)
 
  An ASCII message containing Items a) through d).
  You may encrypt this with my public key (optional).
 
3)Mail to me at
  Edgar W. Swank
  5515 Spinnaker Dr., #4
  San Jose, CA 95123
 
Via U.S. Mail or alternate such as FedEx:
 
  a)The paper prepared as specified above.
  b)A self-addressed, stamped envelope.
    This could also be a pre-paid FedEx envelope.
    It could be addressed to a trusted friend if you're
    concerned your own mail may be intercepted.
  c)$1.00 cash (preferred), check, money order, etc.
    Payment by check will delay processing until check clears.
    If you don't enclose a self-addressed stamped envelope,
    enclose an extra $1.00.
 
That all you have to do. Then what I will do for you:
 
I will visually verify that the public key on the paper matches
the key I received via E-mail and that the signature on your
photocopied ID matches your original signature on the paper.
(I do not claim to be a handwriting expert).
 
I will send to you by return E-Mail your public key signed with
my public key.
 
I will send to you in the evelope you supplied (or to the address
you specify) a paper about myself constructed as described above
(but not notarized - if you want notarized send an extra $10).
This will give you a verification independent of the network
that my public key is really mine.
 
I will post your machine-readable ASCII record that you E-mailed to me
to Extropians and Cypherpunks (optional, specify if you DON'T want
this).  This feature is subject to no objection from Extropians and
Cypherpunks list management.
 
I will keep your paper on file for at least one year.
 
Anyone may request a photocopy of your paper (and up to three others)
by sending me $1 and a self-addressed, stamped envelope.
I will also send your machine-readable ASCII record to his
network address, if supplied.
 
Any customer may also phone me directly at (408)227-3471 during
reasonable hours and I will verify your/others public key(s) by
reading them over the phone.
 
Edgar W. Swank
5515 Spinnaker Dr., #4
San Jose, CA 95123
edgar@spectrx.saigon.com (Edgar W. Swank)
(408)227-3471  (listed)
Cal. Drivers License MO531219
Retired from IBM -- Employee #788281
I am not a law enforcement officer or agent
Here is my PGP 2.0 Public Key:
 
--Type bits/keyID   Date       User ID
--pub  1024/87C0C7 1992/10/17  Edgar W. Swank <edgar@spectrx.saigon.com>
--sig       67F70B              Philip R. Zimmermann <prz@sage.cgd.ucar.edu>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.03
 
mQCNAirfypkAAAEEAKe2jziPeFw6hY19clR2GtQ4gtGCSSVOTgPKEJzHfuC74Scf
9PEuu1kebLhHk43A9wo1vr52o4jpH/P/tnFmRtBQOMzLUzAt5rMucswtSVviMQS2
hBuc9yGJKWHVcyfA79EARKEYTdhx+2qKI+hFJcPE+rmD8wVoF94nNf3ah8DHAAUR
tClFZGdhciBXLiBTd2FuayA8ZWRnYXJAc3BlY3RyeC5zYWlnb24uY29tPokAlQIF
ECsRFxzidd4O/2f3CwEBsmID/2qXL/VdjGxxYFNIZdA+DC6howUXlHw66MUArILE
2/9J69VvcpbQTKmD4A+04SwH9q8SDzWxsg+1VANuy08EE0up9pm7ZBzrxkFcOydh
sEwOt9fRn9EJ3tDNYe1SVoxV9Fc47of55Om7cTNrky0hdp1LA13uf/TeV3nrBYa2
1zaz
=IFW+
-----END PGP PUBLIC KEY BLOCK-----
======================================================================
Other Options:
 
If you have a listed phone number and request it, I will verify your
number through information and call you (collect) to verify the public
key you sent me.  I will add this as a notation to your electronic and
paper record.  No extra charge!
 
Another possible option is to use a full color photocopy of your photo
ID.  This costs about $1.00 at photocopy centers such as Photo
Drive-Up as opposed to 5 or 10 cents for an ordinary photocopy.  I
will also note this on your electronic and paper record.
======================================================================
So far I have zero (0) customers. Philip Zimmerman, in e-mail to me,
endorsed the idea, but he has declined to become a customer himself
even though I waived the fee for him.
 
Plan B is to exchange/verify public keys face-to-face at parties,
such as the PenSFA parties I previously posted info about. Rather than
bringing diskettes, I would think printed copies of (armored form)
public keys would be easy to handle. I have printed up business-card
size copies of *fragments* of my public keys with the 6-hex-digit
"Key ID".  I think it would be very difficult to generate a valid new
key pair where the public key matched the key ID and key
fragment.

--
edgar@spectrx.saigon.com (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005  Silicon Valley, Ca






Thread