From: tcmay@netcom.com (Timothy C. May)
Date: Thu, 1 Dec 94 11:18:24 PST
To: roy@cybrspc.mn.org
Subject: Re: Mandatory sig workaround
In-Reply-To: <941201.071127.7W2.rusnews.w165w@cybrspc.mn.org>
Message-ID: <199412011918.LAA21104@netcom4.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


Roy M. Silvernail wrote:

> > "Plenty of irons in the fire" is indeed the crucial point. Learning
> > how to make UQWK talk to AutoPGP in elm (or whatever) is apparently
> > fine for some people (by my estimate, 20% of those who post), but many
> > of the most valued (who shall remain nameless here) posters are *not*
> > signing posts. I urge you all to watch who signs and who doesn't.
> 
> It may just be that it's early and I'm only on my first cup of coffee,
> but are you suggesting an inverse correlation between the quality of a
> submission and the presence of a signature, Tim?  While I'd agree that
> many of the quality list members don't sign their articles, I don't
> think I can make the leap that signed messages have no useful content.
> Please tell me I misread you.

No, I didn't propose such a correlation. Just a reminder that _many_
active posters are not routinely, or ever, signing. This is probably
not due to a minor (few second) delay but, rather, to much large
hassles (discussed here often, but having to do with editors on remote
machines not having access to PGP tools and keys on local
machines--this can be solved by moving the PGP onto the remote machine
or by sending the file to local machines with sz, etc.).

> > Face it, some fraction of people on this list are gearheads, with
> > their own Pentiums or Suns sitting on the Net and with lots of
> > Unix/Linux tools they like to play with and that they can use to
> > compile their premails and procmails and whatnot. More power to them.
> 
> Or perhaps just a lowly 486 running DOS and UUCP.  But I heard that
> Cypherpunks Write Code, so I wrote PGP support into my signature
> controller.  I have signed all my email for 2 years, and all net traffic
> for nearly a year.  Gearhead?  Perhaps I am.  But this ain't no Porsche.

Like I said, "more power to them." I haven't gone this route, and
face, under the proposed system(s), delays and perhaps bounces. For
many reasons I think this is an unwise proposal.

> Which only underscores the need for better tools for the existing
> platforms.  Yes, I'd like everyone to sign their traffic.  But it's not
> always possible when the tools to do that are either non-existant or
> arcane (which means I'm in agreement with Tim on why he doesn't sign his
> traffic).

You've just answered your earlier points.

Let me recount something that hasn't been mentioned on the list. At
the last Cypherpunks meeting, well-known Unix gearhead Raph Levien
demonstated his premail work: nearly transparent encryption,
decryption, remailing integrated into "pine," a mailer. Something
this "simple" (no insult to the work meant...I mean simple in the
sense that it is conceptually obvious and expected) drew oohs and aahs
from the generally savvy attendees. It tells us something.

(Yes, I may consider switching from my favored mail reader, elm, to
pine. But not soon, and maybe not ever.)

> Tim, just for fun, what tools would need to appear to make it possible
> for you to sign your traffic?  Maybe a description will inspire some of
> the Macheads out there to get hacking.  (the astute reader will note
> that I'm not suggesting new tools to the erstwhile Mr. May, as has been
> done so often in the past)

Others have touched on this. MIME stuff, mail wrappers, etc.

There are three main worlds to consider:

1. Users on their own secure machines, composing, signing, and
encrypting with tools on their own machine. Completed messages are
either mailed (e.g., Eudora, dial-up) or are otherwise send directly
(boxes sitting on the Net via SLIP, PPP, TIA, etc.)

2. Users who do some of their work on secure machines (perhaps at
home) but log in to remote machines that are not secure against packet
sniffers, snooping sysadmins, subpoenas (which may not even be
disclosed to the target, as in cases involving money transfers, drug
cases, etc.).

3. Users who do most of their work on unsecure machines outside their
control. Most corporate users who use corporate machines. Most
university students with campus accounts. 

PGP can and is used in all of these worlds.

#1 is taken care of by lots of tools. (And if I limited my mail to
Eudora, I could cope moderately well. But I don't even have Eudora
running on my new Mac configuration yet, and I favor reading mail
while logged-on to Netcom. Also, signing Netnews articles--not the
topic of current debate--is not addressed.

#2 is where additional tools are needed. A useful tool: agent-like
technology that could "reach back" with a zmodem-like squirting of
text to the local/home machine, do the sigs and encryption, and then
squirt back the processed text. 

(Ironically, short messages are moderately easy for me to verify, as I
can select the displayed text and use cut-and-paste. So long as all
the text is visible. Longer text messages require that I somehow get
the text--often by using sz to send it to my local machine--and this
typically takes more steps and requires more choices than I want to
deal with.).

#3 users are probably happy in their ignorance and have others to help
them with setups and configs. That so many students are diligent about
signing their messages--on "foobar.edu"--says a lot about the spread
of tools, helps, and common set of tools (e.g., everybody may be using
4.3 BSD and the same core set of editors and mailers).

I am dismissive of #3 because it's toy security. Not a foundation to
build on. But OK for students. Or employees. Or casual use.

Enough for now.

--Tim May





-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
Cypherpunks list: majordomo@toad.com with body message of only: 
subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay