From: Jonathan Corbet <corbet@stout.atd.ucar.EDU>
To: cypherpunks@toad.com
Message Hash: f4ef304cafc0b264a53e5a37d536c7d41e999bd5b4bd4b776cd897c5c682056d
Message ID: <9312012218.AA27473@stout.atd.ucar.EDU>
Reply To: <9312012114.AA07097@media.mit.edu>
UTC Datetime: 1993-12-01 22:22:23 UTC
Raw Date: Wed, 1 Dec 93 14:22:23 PST
From: Jonathan Corbet <corbet@stout.atd.ucar.EDU>
Date: Wed, 1 Dec 93 14:22:23 PST
To: cypherpunks@toad.com
Subject: Re: Two items from recent magazines...
In-Reply-To: <9312012114.AA07097@media.mit.edu>
Message-ID: <9312012218.AA27473@stout.atd.ucar.EDU>
MIME-Version: 1.0
Content-Type: text/plain
> W.R.T. using "fake" inventors. It's illegal to file a patent application
> without the true original inventor's name on it. If it can be proven that a
> company did this, it is liable for treble damages and the lawyer who filed
> the application can be disbarred.
It's not the inventors who are faked, according to the article -- it's the
companies for whom they work. I forget the examples now (mag is at home),
but these people have turned up corporations which file their patents under
no end of front companies (tentacles? :-) so as to make it hard for their
competitors to see what they are up to. It's by using the inventors' names
that all this information is being pulled back together.
Jonathan Corbet
National Center for Atmospheric Research, Atmospheric Technology Division
corbet@stout.atd.ucar.edu
they are - and I haven't tried checking their
articles to know what to look for to check whether an email
request claiming to be from one of them looks unforged.
If I remember right, none of these people puts a PGP Key ID or fingerprint
in their posting signatures, so I don't have that clue available -
that would increase my confidence a lot. But I still couldn't be sure.
[This is the hitch in digital signatures isn't it? At least as far as
those not issued from an authority are concerned. You are really
signing for a location rather than anything else. You have no idea
who has access to the secret key on the other side of the public or if
the "who" is a "him" a "her" or "they." A signature is webbed in with
the trust you give it. Tim May's signature means nothing if everyone
knows that Tim and his close friends all use it even if the key only
has the words "Tim May" on it.
++ Tim, I used your name because I want someone else to be the example
today :) ++
Technically (for you grassy knoll types) the holder of a secret key could
be quite dead and anyone might have taken up use.
The dead key holder, or even the duress key holder, creates all
sorts of problems if you are dealing with nym's or anonymous keys.
Same problem with so-called "password" or "bearer" accounts.
The money is only as secure as the protocol is secret. Subjectively
different for each and every user.
People like LD have to break past the barrier in concept and accept
that a public key system with an open trust web just cannot be used
to establish IDENTITY. With a properly structured web it approaches
zero probability of "identity fraud," but never quite gets there.
I'm not lying if I sign some key that I know to belong to a person
who actively uses the name "564FR"
All my signature says is that "at one time 564FR held this key and
I trust him to send a revocation if there is a problem."
NOT
"This key is held by 564FR and 564FR alone, so help me (insert deity of
choice)"
Frankly I think this system is a lot MORE honest than a centralized
system (which stinks to me of big government anyhow) because
multiple signatures from several individuals represent different
perspectives on identity. Chances are that if you have 6 nice signatures
you managed to convince 6 very different people that the key is "yours"
I trust this much more than some "trusted authority" which is likely
to be neither trusted, nor an authority.]
+++
On the other hand, if I really cared about preserving the anonymity
of the nym-user, and it was somebody I knew in person, or myself,
I probably wouldn't sign it with my real key - it may be relatively obvious
that "Bill The Dragon-Basher" whose key was signed by "Bill Stewart" was me,
but I'd rather not have to deal with a court subpoena or Mafia equivalent
trying to find the users of the keys for "Crypto International, Ltd." or
"Coalition Against the U.S. Invasion of Cuba" or "Some Unapproved Religion" or
"Bear's Custom Chemicals" or an anonymous Panamanian bank account that's mine.
But if the keys are only signed by other nyms, how trustable are they?
[So how do you know what's a nym and what's not?]
If I ran a digibank, I'd be real hesitant about accepting changes of
address or public-key unless I had some physical verification or other
securely shared secret to avoid eavesdropper and interloper attacks,
but one of the goals of digital banking is that you're not supposed
to need physical transactions. I suppose an initial account set up
by sending the bank a message with a Secret and a public key and a
bunch of digibucks might do the job, with some cut&choose protocols
to decrypt the digibucks if the account is approved?
[If I ran a digibank with open accounts, I'd shift the security burden
to the account holder. Especially when dealing with accounts from
sketchy identities. Provide the means for security in protocol,
the rest is up to the user.]
Bill The Dragon-Basher
(oops! ^X^C:wq!/exit~.\b\b\b\b\b\b)
# Bill Stewart Old address: wcs@anchor.ho.att.com AT&T Bell Labs, Holmdel, NJ
# After 10/15, NCR, 6870 Koll Center Parkway, Pleasanton CA, 94566
# Voice/Beeper 510-224-7043, Phone 510-484-6204, email bill.stewart@pleasantonca.ncr.
com
- -uni- (Dark)
[who will begin to attach key fingerprints to mail and not just usenet
and finger] :)
073BB885A786F666 6E6D4506F6EDBC17
-----BEGIN PGP SIGNATURE-----
Version: 2.3
iQCVAgUBLP0XEBibHbaiMfO5AQHeKQQAhN6RXRQ8fZ1hz+jvFbuw6N6fvByG2Euq
BYISCdcLgcWa1V/Jpq7GjjIwLTEYjxFQBqg2txyu4QKpmg1HR3ox/MAyUPcqQqQy
K9WxvwVMW/3ydGKRwLyatthHZsa47JGVumwzQJ2/cDzhNZhfiM/SqXgH3jdHBSAO
9r744wKJsoc=
=Qi4O
-----END PGP SIGNATURE-----
Return to December 1993
Return to “tcmay@netcom.com (Timothy C. May)”