1995-07-14 - Expansion on my earlier rant (long)

Header Data

From: “Robert A. Hayden” <hayden@krypton.mankato.msus.edu>
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Message Hash: b0afade2d8ff3d09a801fa9fca4e42f54228e5244f1da96df2da687567251cde
Message ID: <Pine.ULT.3.91.950713200640.19067A-100000@krypton.mankato.msus.edu>
Reply To: N/A
UTC Datetime: 1995-07-14 01:10:17 UTC
Raw Date: Thu, 13 Jul 95 18:10:17 PDT

Raw message

From: "Robert A. Hayden" <hayden@krypton.mankato.msus.edu>
Date: Thu, 13 Jul 95 18:10:17 PDT
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Subject: Expansion on my earlier rant (long)
Message-ID: <Pine.ULT.3.91.950713200640.19067A-100000@krypton.mankato.msus.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Hi all, me again.

I've received about a dozen requests to clarify my rant earlier about 
what I think needs to be done about the future of the CPs and the net, 
now that the official declaration of war has been made by the government. 
So, I'm going to do that.  

As a quick warning, however, I need to remind everyone that I am not a 
programmer.  My knowledge of Internet protocols is passable, but actual 
implementation issues are beyond me.  Basically, I'm a well-informed user 
with dreams.  Professionally, I'm a teacher and a graduate student in the 
area of Education Technology (use of modern technologies as applied to 
education) at Mankato State University in Minnesota.  I also write geek 
codes and am active politically serving on the college senate and being 
outspoken in other areas. :-)

Anyways . . . 

- -------------

When I look at the current political climate, the current technologies, 
and the predications for the next two or three years of the expected 
changes in the social makeup to the Internet, I quickly realize that the 
Cypherpunks cannot possibly, except by pure luck, expect to influence any 
change of the net.  The problem isn't that it is growing too fast.  The 
problem is that we as a generation of network users, who first came 
online circa 85-92, are not the same generation that make up the bulk of 
the population.

The bulk of the population, and the one that is continuing to come 
online, don't CARE about technical issues.  All they care about is what 
the net can do for them as a COMMUNICATION TOOL.  And until WE stop 
getting bogged in technical issues and start looking at this from the 
user's end of the spectrum, not enough people are going to care for it to 
matter. 

So when you take a program like PGP, which by all definitions is a
technological godsend, and introduce it to the mass populations of the
net, you get a big "Buh!?" back from them.  Why?  Because they just don't
care.  Furthermore, it becomes difficult to to teach them about the values
of the program because PGP is far too difficult to use.  I'm not saying
that the majority of the net is stupid, just that they don't want things
to be any more complicated than necessary. 

Thus, if we want to institute change, we have to come at it from a 
different angle.  We have to take into consideration the sociological 
makeup of the net, and, more importantly, what the current and future 
populations of the net are going to WANT.  Serving the needs of a tiny
percentage of people isn't going to accomplish what we want.

- -------
WHAT SHOULD WE DO

Now, if I was the king, this is what I'd like to see done...

1)	RE-EVALUATE PUSHING PGP
There is little doubt that PGP is a great program.  It does everything we 
want it to do.  Unfortunately, there are some significant problems with 
it as well.
	A)  ITAR:  'nuff said.  This prevents it's global use.
	B)  Patent concerns.  I don't know fully the details of this, but 
		if I understand, there are some concerns about who owns 
		what portions of the encryption algorithms, or something to
		that effect.
	C)  Can PGP's features be implemented in style usable by the
		current generation of Internet users?

The problem is that while we fight solving all of these concerns, we are 
going nowhere.  Would it be, in terms of time required, better to come 
up with another system that solves these problems?  By using 
international encryption techniques and Public Domain algorithms, and 
design the program specifically for implementation in user-end and 
server-end programs?

I don't know.  But this is what the re-evaluation needs to answer.

2)	PUSH FOR UNIVERSAL DIGITAL SIGNATURES
In my version of utopia, all digital messages are signed.  Unfortunately, 
right now, there are no mechanisms in place to achieve that.  

	First, a way to get signatures out needs to be done.  A
	server<->client program similar to Archie needs to be developed
	that will allow people to retrieve signatures off of some registry
	site(s).  Of course, this should be done with encryption, probably
	something similar to what netscape uses for its data transfers.  I
	should be able to get any person's digital signature knowing
	nothing more than their email address, or less specific, their
	name.  This is a white pages of the net. 

	Second.  A mechanism needs to be devised where all email and
	usenet material is digitally signed.  This needs to be done in a
	way that the user is not even aware that it is being done.  Perhaps
	an encrypted environment variable containing the key would work
	(ie, you run a program, type in your passphrase, it encrypts it to 
	a file, assigns your signature, and then reads that file into the
	environment, decrypting it when needed.  It does this once during 
	generation.).  In any case, no user should have to manually sign 
	anything.  Optimally, signatures would be part of the header of the 
	message, and not even seen by users. It's not 100% safe, especially
	on a multi-user system, but it's a helluva start. 

	Third, automated checking, via news readers or mail readers needs
	to be implemented.  All it needs to do is when a message arrives,
	it first greps the users personal keyring.  If the matching
	signature isn't found, it checks the system keyring.  If not
	found, it uses a similar protocol as above to check the Global
	Keyring (using an encrypted session).  If the signature is found to
	be authentic, it marks it as such, if not, it warns the user and
	it is unreliable data.  This optimly would take place prior to
	delivery by the mail transfer agent or news transfer agent of the
	receiving computer. 

No matter what, digital signatures need to be pushed as being unrelated 
to cryptography.  While they are similar, their are political problems 
with encryption, but not really with signatures.  If we make a hearty 
push towards authenticated communications, encryption falls right in line 
as a (oh, by the way, we can also...)

3)	NEAR TRANSPARENT ENCRYPTION

In the end, the goal is that encryption becomes simple enough and 
unintrusive enough that everybody will use it.  Once again, however, we 
need public key servers that can dole out keys on request.  Furthermore, 
encryption needs to be as simple as clicking on a button when you mail 
it, with the mail program or transfer agent doing the appropriate 
scrambling based on the addressee.  It needs to be able to get keys from 
servers in the background and decrypt without any more manual interaction 
than typing in a passphrase.  It is also my belief that digital 
signatures and encryption SHOULD NOT utilize the same key in a fully 
automated system, or have different passphrases within the same key.

4)	AND IT'S ALL GOTTA SIMPLE
Finally, I need to reiterate this.  Whatever is implemented has to be 
ungodly simple to use.  Users shouldn't have to think about this stuff.  
Administrators shouldn't have to deal with user requests about this stuff 
(just install the programs and go to it).  It's all gotta be free, AND 
internationally legal.  If we fail any of these tests, we can't win.

5)	JOIN THE EFF
Well, I just thought I'd throw this in, it can't hurt :-)

- ----------------------

Anyway, that's what I see as needing to be done.  All of this ISN'T just
about writing code, however.  All of us, myself included, need to start
electronically signing everything we send, especially to mailing lists and
as much as you can to usenet.  If anything, it's gets the word out as a
USEFUL implementation of this technology (verification of message).  We
need to not be afraid to send a letter to our elected officals warning
them about what the laws they are passing are going to do.  That's the
easy part.  The hard part is staying at it long enough to win the war. 

[as a side note, does anybody have a script or program that will 
auto-sign a message?  I'm usuing mkpgp for pine right now as an alternate 
editor, but that does more than I need (encryption and such.]



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMAXEAjokqlyVGmCFAQH5aAP+Lbw37+//V6Blm29DCLbzkHgZ2u2pOU1c
mzqpBBwfA2cggdYPZj6a/wJAmWr06aMiCV02MFJF90NW3BdwVDogCrc67+iHY5UM
fc3AVXzFvM39KG6Ruizo3Wf6tXSpWUxvrgCiWODR4SiwyvpEvFbSJ+IsawUSLpfe
BZKAFv8bi50=
=zmoa
-----END PGP SIGNATURE-----


____        Robert A. Hayden      <=> Cthulhu Matata
\  /__          -=-=-=-=-         <=>          -=-=-=-=-
 \/  /  Finger for Geek Code Info <=> hayden@krypton.mankato.msus.edu
   \/   Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden





Thread