From: “Robert A. Hayden” <hayden@krypton.mankato.msus.edu>
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Message Hash: b0afade2d8ff3d09a801fa9fca4e42f54228e5244f1da96df2da687567251cde
Message ID: <Pine.ULT.3.91.950713200640.19067A-100000@krypton.mankato.msus.edu>
Reply To: N/A
UTC Datetime: 1995-07-14 01:10:17 UTC
Raw Date: Thu, 13 Jul 95 18:10:17 PDT
From: "Robert A. Hayden" <hayden@krypton.mankato.msus.edu>
Date: Thu, 13 Jul 95 18:10:17 PDT
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Subject: Expansion on my earlier rant (long)
Message-ID: <Pine.ULT.3.91.950713200640.19067A-100000@krypton.mankato.msus.edu>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Hi all, me again.
I've received about a dozen requests to clarify my rant earlier about
what I think needs to be done about the future of the CPs and the net,
now that the official declaration of war has been made by the government.
So, I'm going to do that.
As a quick warning, however, I need to remind everyone that I am not a
programmer. My knowledge of Internet protocols is passable, but actual
implementation issues are beyond me. Basically, I'm a well-informed user
with dreams. Professionally, I'm a teacher and a graduate student in the
area of Education Technology (use of modern technologies as applied to
education) at Mankato State University in Minnesota. I also write geek
codes and am active politically serving on the college senate and being
outspoken in other areas. :-)
Anyways . . .
- -------------
When I look at the current political climate, the current technologies,
and the predications for the next two or three years of the expected
changes in the social makeup to the Internet, I quickly realize that the
Cypherpunks cannot possibly, except by pure luck, expect to influence any
change of the net. The problem isn't that it is growing too fast. The
problem is that we as a generation of network users, who first came
online circa 85-92, are not the same generation that make up the bulk of
the population.
The bulk of the population, and the one that is continuing to come
online, don't CARE about technical issues. All they care about is what
the net can do for them as a COMMUNICATION TOOL. And until WE stop
getting bogged in technical issues and start looking at this from the
user's end of the spectrum, not enough people are going to care for it to
matter.
So when you take a program like PGP, which by all definitions is a
technological godsend, and introduce it to the mass populations of the
net, you get a big "Buh!?" back from them. Why? Because they just don't
care. Furthermore, it becomes difficult to to teach them about the values
of the program because PGP is far too difficult to use. I'm not saying
that the majority of the net is stupid, just that they don't want things
to be any more complicated than necessary.
Thus, if we want to institute change, we have to come at it from a
different angle. We have to take into consideration the sociological
makeup of the net, and, more importantly, what the current and future
populations of the net are going to WANT. Serving the needs of a tiny
percentage of people isn't going to accomplish what we want.
- -------
WHAT SHOULD WE DO
Now, if I was the king, this is what I'd like to see done...
1) RE-EVALUATE PUSHING PGP
There is little doubt that PGP is a great program. It does everything we
want it to do. Unfortunately, there are some significant problems with
it as well.
A) ITAR: 'nuff said. This prevents it's global use.
B) Patent concerns. I don't know fully the details of this, but
if I understand, there are some concerns about who owns
what portions of the encryption algorithms, or something to
that effect.
C) Can PGP's features be implemented in style usable by the
current generation of Internet users?
The problem is that while we fight solving all of these concerns, we are
going nowhere. Would it be, in terms of time required, better to come
up with another system that solves these problems? By using
international encryption techniques and Public Domain algorithms, and
design the program specifically for implementation in user-end and
server-end programs?
I don't know. But this is what the re-evaluation needs to answer.
2) PUSH FOR UNIVERSAL DIGITAL SIGNATURES
In my version of utopia, all digital messages are signed. Unfortunately,
right now, there are no mechanisms in place to achieve that.
First, a way to get signatures out needs to be done. A
server<->client program similar to Archie needs to be developed
that will allow people to retrieve signatures off of some registry
site(s). Of course, this should be done with encryption, probably
something similar to what netscape uses for its data transfers. I
should be able to get any person's digital signature knowing
nothing more than their email address, or less specific, their
name. This is a white pages of the net.
Second. A mechanism needs to be devised where all email and
usenet material is digitally signed. This needs to be done in a
way that the user is not even aware that it is being done. Perhaps
an encrypted environment variable containing the key would work
(ie, you run a program, type in your passphrase, it encrypts it to
a file, assigns your signature, and then reads that file into the
environment, decrypting it when needed. It does this once during
generation.). In any case, no user should have to manually sign
anything. Optimally, signatures would be part of the header of the
message, and not even seen by users. It's not 100% safe, especially
on a multi-user system, but it's a helluva start.
Third, automated checking, via news readers or mail readers needs
to be implemented. All it needs to do is when a message arrives,
it first greps the users personal keyring. If the matching
signature isn't found, it checks the system keyring. If not
found, it uses a similar protocol as above to check the Global
Keyring (using an encrypted session). If the signature is found to
be authentic, it marks it as such, if not, it warns the user and
it is unreliable data. This optimly would take place prior to
delivery by the mail transfer agent or news transfer agent of the
receiving computer.
No matter what, digital signatures need to be pushed as being unrelated
to cryptography. While they are similar, their are political problems
with encryption, but not really with signatures. If we make a hearty
push towards authenticated communications, encryption falls right in line
as a (oh, by the way, we can also...)
3) NEAR TRANSPARENT ENCRYPTION
In the end, the goal is that encryption becomes simple enough and
unintrusive enough that everybody will use it. Once again, however, we
need public key servers that can dole out keys on request. Furthermore,
encryption needs to be as simple as clicking on a button when you mail
it, with the mail program or transfer agent doing the appropriate
scrambling based on the addressee. It needs to be able to get keys from
servers in the background and decrypt without any more manual interaction
than typing in a passphrase. It is also my belief that digital
signatures and encryption SHOULD NOT utilize the same key in a fully
automated system, or have different passphrases within the same key.
4) AND IT'S ALL GOTTA SIMPLE
Finally, I need to reiterate this. Whatever is implemented has to be
ungodly simple to use. Users shouldn't have to think about this stuff.
Administrators shouldn't have to deal with user requests about this stuff
(just install the programs and go to it). It's all gotta be free, AND
internationally legal. If we fail any of these tests, we can't win.
5) JOIN THE EFF
Well, I just thought I'd throw this in, it can't hurt :-)
- ----------------------
Anyway, that's what I see as needing to be done. All of this ISN'T just
about writing code, however. All of us, myself included, need to start
electronically signing everything we send, especially to mailing lists and
as much as you can to usenet. If anything, it's gets the word out as a
USEFUL implementation of this technology (verification of message). We
need to not be afraid to send a letter to our elected officals warning
them about what the laws they are passing are going to do. That's the
easy part. The hard part is staying at it long enough to win the war.
[as a side note, does anybody have a script or program that will
auto-sign a message? I'm usuing mkpgp for pine right now as an alternate
editor, but that does more than I need (encryption and such.]
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMAXEAjokqlyVGmCFAQH5aAP+Lbw37+//V6Blm29DCLbzkHgZ2u2pOU1c
mzqpBBwfA2cggdYPZj6a/wJAmWr06aMiCV02MFJF90NW3BdwVDogCrc67+iHY5UM
fc3AVXzFvM39KG6Ruizo3Wf6tXSpWUxvrgCiWODR4SiwyvpEvFbSJ+IsawUSLpfe
BZKAFv8bi50=
=zmoa
-----END PGP SIGNATURE-----
____ Robert A. Hayden <=> Cthulhu Matata
\ /__ -=-=-=-=- <=> -=-=-=-=-
\/ / Finger for Geek Code Info <=> hayden@krypton.mankato.msus.edu
\/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden
Return to July 1995
Return to ““Robert A. Hayden” <hayden@krypton.mankato.msus.edu>”
1995-07-14 (Thu, 13 Jul 95 18:10:17 PDT) - Expansion on my earlier rant (long) - “Robert A. Hayden” <hayden@krypton.mankato.msus.edu>