From: zinc <zinc@zifi.genetics.utah.edu>
Date: Fri, 25 Aug 95 19:28:02 PDT
To: "P.J. Ponder" <ponder@wane-leon-mail.scri.fsu.edu>
Subject: Re: Auto-pgp for pine/elm/tin (fwd)
In-Reply-To: <Pine.3.89.9508252137.H2413-0100000@wane3.scri.fsu.edu>
Message-ID: <Pine.LNX.3.91.950825200849.7881B-100000@zifi.genetics.utah.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 25 Aug 1995, P.J. Ponder wrote:

> Date: Fri, 25 Aug 1995 21:52:47 +0100
> From: P.J. Ponder <ponder@wane-leon-mail.scri.fsu.edu>
> To: hfarkas@ims.advantis.com
> Cc: cypherpunks@toad.com
> Subject: Auto-pgp for pine/elm/tin (fwd)
> 
> 
> In Garfinkel's book, he talks about the risks of running PGP on a 
> multiuser system where others (sys. admins, eg) have higher levels of 
> authority than you do.  I have PGP installed on my pc and if I want to 
> use it, I can save the message in ascii, then upload it to the server 
> where I have my Internet account, then mail it.  maybe not entirely 
> transparent, but at least it seems to me that the convenience of running 
> it on the server with something like Mr. Wilcox's BAP is not worth the 
> added risk.  Besides, how often do you need to use it?  
> --
> pjp

the risks etc of using pgp on a multiuser platforms are well known. 

i'd say it's better to have a pgp signed mesg than an unsigned one.

if you post a lot, or mail a lot, that's a lot of mesgs to sign.
finding a tool to do this more easily than using pgp through the shell
interface is 'a good thing'.

given that, here are some args for signing on a multiuser platform.

often, people (me included) choose to use a separate 'weak' key for 
these purposes.  it's always nice to have some sort of indication that 
that is what the key is for.  i had a key with 'INSECURE KEY!!' tagged 
on the end of my userid.  i had another for secure communications.

now, you can't stop some sysop type person from doing whatever to you.
that's the way it goes.  but, if you've got a really malicious sysop,
they could just spoof you to the world, including making up a key
supposedly from you.  if they posted enough crap using that key people
would begin to think that they are really you or that one of you is
lying and to hell with both of you.  this sort of denial of service
attack is an unlikely event (unlikely for a sysop to do - someone else
is a diff matter).

finally, independent of multiuser platforms, the signing utilities are
quite useful for people like me who have their own personal unix box
on the net.

- -pjf

patrick finerty = zinc@zifi.genetics.utah.edu = pfinerty@nyx.cs.du.edu
U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA!
** FINGER zinc-pgp@zifi.genetics.utah.edu for pgp public key - CRYPTO!
zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=->  http://zifi.genetics.utah.edu 


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMD6GjE3Qo/lG0AH5AQHazAP/ToRRiftaXDspBAnECzoM1ZexhqKb8Ou/
uxSljS/w3h9yz7+j6bJIbak1CI2JFrTneyj6jKsW/2wCV/p65F+5dvD2a2VUCJ6u
+93zmFHiMS0XhCl3lLutKKlcrZkXC1P1qvY7ozFYoJ5PQ7rqQGfoxUuPisGJ5gJm
XH/kkQSIuis=
=VpN7
-----END PGP SIGNATURE-----