From: eric@remailer.net (Eric Hughes)
To: cypherpunks@toad.com
Message Hash: 9c35d974c9faff45594c4d8f45c2272345b85b6ebe5256c38e09f3052894ca66
Message ID: <199412010130.RAA12026@largo.remailer.net>
Reply To: <199411302220.OAA08565@netcom11.netcom.com>
UTC Datetime: 1994-12-01 00:32:07 UTC
Raw Date: Wed, 30 Nov 94 16:32:07 PST
From: eric@remailer.net (Eric Hughes)
Date: Wed, 30 Nov 94 16:32:07 PST
To: cypherpunks@toad.com
Subject: Re: Shouldn't "toad" messages be signed?
In-Reply-To: <199411302220.OAA08565@netcom11.netcom.com>
Message-ID: <199412010130.RAA12026@largo.remailer.net>
MIME-Version: 1.0
Content-Type: text/plain
From: tcmay@netcom.com (Timothy C. May)
It seems clear to me that by the logic of this thread, *all* messages
passing through toad to us should naturally be _signed_.
Perhaps someone else's logic. Not mine.
I'm not talking about putting cryptographic material on toad. There
are not only key distribution problems (for sig checking) but also
security problems (for sig making). I've stated clearly two or three
times now that I was planning to use syntactic and not cryptographic
recognition.
After all,
how do we know if an "approved" message has indeed passed through
toad? Someone else could be spoofing the account.
This is specious. The server exists as a communication mechanism, not
as an authentication mechanism. Were the list restricted, either in
acceptance or in transmission, it would have authentication properties.
It's not, and it doesn't.
This will produce nested sigs, as I attempted to illustrate above
(apologies if I got the precise syntax wrong).
The precise syntax doesn't matter. The nesting problem is a weakness
in PGP, which can't add on a second signature to the block at the
bottom of a clearsigned message.
And will today's tools allow easy extraction of first the toad sig,
then the enclosed sig?
I doubt it. On the other hand, my original proposal was to encourage
the _making_ of signatures, not their checking. If you insist that my
proposal includes checking as a basic element, you'll be arguing
against a straw man.
Seems to me that if Eric wants to start encouraging use of sigs, that
a good first start would be for toad to sign all messages.
What Eric wants to very specifically encourage is the making of
signatures on outgoing posts. Anything else is a bonus, not a premise
to find inconsistency in.
Eric
Return to December 1994
Return to “tcmay@netcom.com (Timothy C. May)”