1992-11-29 - Re: Secure key exchange

Header Data

From: edgar@spectrx.Saigon.COM (Edgar W. Swank)
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: 7f7fdec2eabc94968f64e6a546887c6e46c4161f808373a5fe02c8711a663df9
Message ID: <PBgyuB5w165w@spectrx.saigon.com>
Reply To: N/A
UTC Datetime: 1992-11-29 15:56:36 UTC
Raw Date: Sun, 29 Nov 92 07:56:36 PST

Raw message

From: edgar@spectrx.Saigon.COM (Edgar W. Swank)
Date: Sun, 29 Nov 92 07:56:36 PST
To: Cypherpunks          <cypherpunks@toad.com>
Subject: Re: Secure key exchange
Message-ID: <PBgyuB5w165w@spectrx.saigon.com>
MIME-Version: 1.0
Content-Type: text/plain

On Nov 26, Mark inquired about "secure" methods of exchanging public
keys.  Apparently the only really secure method is a physical transfer
face-to-face with someone you know; or to have a key certified by
someone you trust whose key you trust. [PGP has key certification
built-in; for other implementations, just digitally sign some form
of the key to be certified].
There is no secure method of exchanging public keys using only the
net.  As far as you know all your messages, both incoming and
outgoing, are being intercepted by a "spoofer" who will substitute
his public key for yours in all outgoing messages and another public
key of his for each unique public key intercepted in incoming mail.
A few methods were discussed on Extropians of trying to get a genuine
public key distributed by outsmarting the spoofer. But if the spoofer
is smarter than you, these methods will fail.
That leaves methods which exchange, or at least verify, keys by other
means than the network.  I proposed a service to verify keys by paper
mail and (optionally) telephone.  Here is an update of what I posted.
The offer is still good.
I'd like to announce the opening of the Swank Public Key Verification
To become a customer, do the following.
1)On a piece of paper put:
   a)Your name and Network address.
   b)The "armored" ASCii form of your PGP 2.0 Public Key.
   c)(optional) Any other information you want to certify
     about yourself, such as:
      Home address.
      Mailing address (if different).
      Home phone number.
      Occupation-Work Phone-Work Address.
      "I am not a law enforcement officer or agent."
   d)"I certify the above to be true under penalty of perjury".
   e)A photocopy of your driver's license or other picture ID
     with signature.
     Actually this is a photocopy of all of the above with the
     ID on top of the original.
     [note: if you don't want to reveal your home address, you
     can cover that portion of your photo ID. Your name, photo,
     and signature must show]
   f)Your signature. (NOT photocopied)
   g)(optional). have the paper notarized.
2)E-mail to me
   edgar@spectrx.saigon.com (Edgar W. Swank)
  An ASCII message containing Items a) through d).
  You may encrypt this with my public key (optional).
3)Mail to me at
  Edgar W. Swank
  5515 Spinnaker Dr., #4
  San Jose, CA 95123
Via U.S. Mail or alternate such as FedEx:
  a)The paper prepared as specified above.
  b)A self-addressed, stamped envelope.
    This could also be a pre-paid FedEx envelope.
    It could be addressed to a trusted friend if you're
    concerned your own mail may be intercepted.
  c)$1.00 cash (preferred), check, money order, etc.
    Payment by check will delay processing until check clears.
    If you don't enclose a self-addressed stamped envelope,
    enclose an extra $1.00.
That all you have to do. Then what I will do for you:
I will visually verify that the public key on the paper matches
the key I received via E-mail and that the signature on your
photocopied ID matches your original signature on the paper.
(I do not claim to be a handwriting expert).
I will send to you by return E-Mail your public key signed with
my public key.
I will send to you in the evelope you supplied (or to the address
you specify) a paper about myself constructed as described above
(but not notarized - if you want notarized send an extra $10).
This will give you a verification independent of the network
that my public key is really mine.
I will post your machine-readable ASCII record that you E-mailed to me
to Extropians and Cypherpunks (optional, specify if you DON'T want
this).  This feature is subject to no objection from Extropians and
Cypherpunks list management.
I will keep your paper on file for at least one year.
Anyone may request a photocopy of your paper (and up to three others)
by sending me $1 and a self-addressed, stamped envelope.
I will also send your machine-readable ASCII record to his
network address, if supplied.
Any customer may also phone me directly at (408)227-3471 during
reasonable hours and I will verify your/others public key(s) by
reading them over the phone.
Edgar W. Swank
5515 Spinnaker Dr., #4
San Jose, CA 95123
edgar@spectrx.saigon.com (Edgar W. Swank)
(408)227-3471  (listed)
Cal. Drivers License MO531219
Retired from IBM -- Employee #788281
I am not a law enforcement officer or agent
Here is my PGP 2.0 Public Key:
--Type bits/keyID   Date       User ID
--pub  1024/87C0C7 1992/10/17  Edgar W. Swank <edgar@spectrx.saigon.com>
--sig       67F70B              Philip R. Zimmermann <prz@sage.cgd.ucar.edu>
Version: 2.03
Other Options:
If you have a listed phone number and request it, I will verify your
number through information and call you (collect) to verify the public
key you sent me.  I will add this as a notation to your electronic and
paper record.  No extra charge!
Another possible option is to use a full color photocopy of your photo
ID.  This costs about $1.00 at photocopy centers such as Photo
Drive-Up as opposed to 5 or 10 cents for an ordinary photocopy.  I
will also note this on your electronic and paper record.
So far I have zero (0) customers. Philip Zimmerman, in e-mail to me,
endorsed the idea, but he has declined to become a customer himself
even though I waived the fee for him.
Plan B is to exchange/verify public keys face-to-face at parties,
such as the PenSFA parties I previously posted info about. Rather than
bringing diskettes, I would think printed copies of (armored form)
public keys would be easy to handle. I have printed up business-card
size copies of *fragments* of my public keys with the 6-hex-digit
"Key ID".  I think it would be very difficult to generate a valid new
key pair where the public key matched the key ID and key

edgar@spectrx.saigon.com (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005  Silicon Valley, Ca