1994-12-21 - Re: GUI: PGP vs novices

Header Data

From: bshantz@spry.com
To: cypherpunks@toad.com
Message Hash: 63de6a41cccb6bcd51ad2f30164076a9977bdd04018fd3a9592f6b2518379f51
Message ID: <199412212013.MAA11597@homer.spry.com>
Reply To: N/A
UTC Datetime: 1994-12-21 20:13:26 UTC
Raw Date: Wed, 21 Dec 94 12:13:26 PST

Raw message

From: bshantz@spry.com
Date: Wed, 21 Dec 94 12:13:26 PST
To: cypherpunks@toad.com
Subject: Re: GUI: PGP vs novices
Message-ID: <199412212013.MAA11597@homer.spry.com>
MIME-Version: 1.0
Content-Type: text/plain


Thomas Grant Edwards writes:

>On the issue of signing, there is another question.  Do I really want
>to sign every message?  I don't like signing my written name anywhere I
>don't have to.  And whenever I do, I am careful to look at all the
>potential consequences.  Signatures imply I am agreeing to some kind of
>contract.  Perhaps I prefer my email unsigned, to give me a level of
>disputability.  If my email was a business contract, then I'd be
>enthusiastic about signing it.   But for a post to a political newsgroup, 
>for instance, perhaps I don't want to make sure everybody can 
>cryptographically assure themselves it comes from me.  This leaves me 
>open to potential forgery, but email forgery is well known and understood.

Good point.  However, the digital signature issue is still outside of what my 
topic was.  I agree with you wholeheartedly.  That's one of the reasons I 
don't sign everything.  That particular "argument" about digisigs has been 
pounded into the ground by the Cypherpunks for the last year and probably 
longer.

I just think (boy I feel repetitive) that there should be something inside the 
software so the user has the option to sign, or sign on the fly.  If I type up 
a message and think, "hey, I really want people to know this is from me", It 
would be really cool to just hit a button on the toolbar, or grab a menu 
option to sign automatically before sending.  You don't have to sign 
everything.  But, you don't have to go out to another application (of any 
sort) in order to sign.  It's right there in front of you.

That was my point.

>Finally is physical security of keys.  If I am going to sign anything, I 
>want that key to be under control of only me.
  
On a personal machine, say at home, that's not really a problem.  On a 
computer at the office where everything is password protected, isn't really a 
problem either.  Since the situations I work with deal mainly with the home 
user, key management isn't as much a worry as if you're using workstations.

>It is difficult for someone like me who uses workstations to keep a key 
>only on floppy, especially as I find myself on different workstations, 
>many diskless, all the time.

This issue has also been pounded into the ground.  Carrying a disk around with 
you is really the only way to guarantee security.  (Or memorizing your private 
key and typing it in every time.  EEEEERRRGGHHHH)  But, you are right.  It is 
a pain in the ass.

-- Brad






Thread