1993-10-23 - Re: ADMIN: proposed new policy on the mailing list

Header Data

From: Matt Blaze <mab@crypto.com>
To: cypherpunks@toad.com
Message Hash: 3fe894f4281d0d1a354e314e603c6bb03c929aefd1092fbc8d3fd5ba4cb5c734
Message ID: <9310231835.AA09172@crypto.com>
Reply To: N/A
UTC Datetime: 1993-10-23 18:43:26 UTC
Raw Date: Sat, 23 Oct 93 11:43:26 PDT

Raw message

From: Matt Blaze <mab@crypto.com>
Date: Sat, 23 Oct 93 11:43:26 PDT
To: cypherpunks@toad.com
Subject: Re: ADMIN: proposed new policy on the mailing list
Message-ID: <9310231835.AA09172@crypto.com>
MIME-Version: 1.0
Content-Type: text/plain


Oops, forgot to cc this to the list:

While I'm all for encouraging the use of digital signatures, I think this
is a bad idea.  The fact is there is not yet a truely generally available
method for digitally signing messages, and there are two competing standards
from which to choose as it is.  Just how should messages be signed?  PEM?
PGP?  What consititues a valid certificate?  (Actually, this question when
applied to your proposal underscores the inadequacy of both systems in
processing heterogeneous signatures - pgp imposes too little structure
and pem imposes too much.  But that's another story).

Then there's the practical problem that some people simply can't use a
particular signature technique with exisiting software and systems.
These people include:

- People outside the US and Canada, who can't legally use any PEM
implementation of which I'm aware because of restrictions on RSAREF.

- People in the US who can't use PGP because they're afraid to.

- People in the US who want to use PGP but can't because the people who
own/operate the computers they use won't let them.  Some people on public
access and university systems and many people in lawsuit-conscious large
companies with deep pockets are included here.

- People who would love to use PGP or PEM but don't see the point because
they don't fully trust the system on which they would sign their messages.
Anyone who uses anything but a private, single-user workstation SHOULD
be in this category.

- People who would love to use PGP or PEM but can't because they don't have
a working implementation of their secure mailer of choice for their particular
machine/OS.

Do we really want to exclude these people from full participation?  If so,
I suspect this would eliminate a few of the most valuable contributors to the
list.

Again, I don't thing this CONCEPT is a bad one, only that this particular
IMPLEMENTATION is premature in the absence of better and more ubiquitous
signature tools.

-matt (also unsigned, also known as mab@research.att.com)






Thread