1994-12-01 - Hazards of encouraging forged dig sigs

Header Data

From: “L. McCarthy” <lmccarth@ducie.cs.umass.edu>
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Message Hash: 6c9d3bd54f4aebdd0de89a9e2d803ff106c328be79a9fb9996b02042e813af48
Message ID: <199412010326.WAA22171@ducie.cs.umass.edu>
Reply To: <wLJtkOwscEs5075yn@io.org>
UTC Datetime: 1994-12-01 03:26:03 UTC
Raw Date: Wed, 30 Nov 94 19:26:03 PST

Raw message

From: "L. McCarthy" <lmccarth@ducie.cs.umass.edu>
Date: Wed, 30 Nov 94 19:26:03 PST
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: Hazards of encouraging forged dig sigs
In-Reply-To: <wLJtkOwscEs5075yn@io.org>
Message-ID: <199412010326.WAA22171@ducie.cs.umass.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Mark Terka writes:
> If thats the case.....isn't it an equal pain in the ass to go to the trouble
> of forging a sig? :> You would likely have to go through more key strokes and
> other routines to forge one. Why not just play by the rules and sign a
> message?

I imagine it would be a breeze to attach a forged PGP sig to every message
using most mailers etc. The signature block is easy -- simply append it to 
the contents of the .sig autoappended by many mailers/newsreaders. All that
remains is a macro or a bit of cutting & pasting to toss in the --- BEGIN PGP
line at the top.

Now that Eric has made it abundantly clear he envisions syntactic but not
semantic checks of sigs, I am opposed to the proposition. I foresee a
situation in which a large portion of the list traffic uses forged or
meaningless signing-server-appended dig sigs. When I establish automatic
signature validation for incoming mail here Real Soon Now, there will be 
plenty of noise generated by all the `false' negatives in the data to make
a mockery of the authentication process. Encouraging cryptographically
valid signatures was the first suggestion I'd seen in this entire debate
which seemed to promise tangible benefits; encouraging cryptographically
invalid signatures is the first notion which appears to offer tangible
detriment.

Disclaimer acronym of the day: ECDWHW. Eric Can Do Whatever He Wants.

BTW, Tim, why do you seem so surprised by JD's style of discourse ?
Just mention Chomsky and be done with the damn thing, it's not going to
be productive anyway.

- -L. Futplex McCarthy; PGP key by finger or server
"Don't say my head was empty, when I had things to hide...." --Men at Work

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBLt1CSGf7YYibNzjpAQEquAP5Aa0aVKiWW39kxxZEkvYHRFJBEOkZSVE5
ZCjUABEx7hki2+uaGvIDJyGlb73mxMeiT1iM8N1BBzbztSWbRN4wUbLsaRD27gQz
NY/g/eOvylZcphFzxLWRNWBnmGSgGgN+miMv0sVxSJkdq41fjSTW9ziH8mOrGRif
ZfYlP21LOSc=
=W8Wf
-----END PGP SIGNATURE-----




Thread