1995-11-19 - Re: (CANADIAN PRESS REPORTS)

Header Data

From: jimbell@pacifier.com (jim bell)
To: cypherpunks@toad.com
Message Hash: 15a9a056fc176a7c3e1c1834f175bb00c74d03e6115a17412c551e26fca3d067
Message ID: <m0tH33n-00091vC@pacifier.com>
Reply To: N/A
UTC Datetime: 1995-11-19 06:55:42 UTC
Raw Date: Sun, 19 Nov 1995 14:55:42 +0800

Raw message

From: jimbell@pacifier.com (jim bell)
Date: Sun, 19 Nov 1995 14:55:42 +0800
To: cypherpunks@toad.com
Subject: Re: (CANADIAN PRESS REPORTS)
Message-ID: <m0tH33n-00091vC@pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


Detweiler wrote...

>On Sat, 18 Nov 1995, jim bell wrote:
>
>> >anonymous writes:
>> >> I still feel such a sense of violation with what LD did, such an
>> >> utter sense of helplessness at the character assassination I've
>> >> suffered at his hands, 
>> >
>> >So use PGP, sign your messages.  Simple solution.
>> 
>> Absolutely!  Anybody who uses anonymous remailers to post to public areas,
>> and does not use digital signatures to prevent spoofing when it is obviously
>> needed, is a fool or worse.
>
>Most people believe THAT a digital signature is evidence that I am who my
>signature _says_ I am when it really doesn't do that at all.  It isn't
>reliable at all. 
>
>Unfortunately, I've learned the hard way NOT to do that.  Digital 
>signatures don't prevent spoofing.
>
>In fact, I think that thinking something is secure when it isn't leads 
>to even more trouble, and could even lead to many tragedies.
>
>In a nutshell, here's the problem.
>

WARNING!  WARNING!  WARNING!  BIG "IF" COMING UP!  BIG "IF" COMING UP!!!


>If someone takes my pgp secret keyring and my password, then they can 
 ^^

>sign a message *digitally* so that people believe the spoofed message is 
>really from me.  In fact, since most people tend to rely on a pgp message 
>far more than a non-pgp message, most people would be absolutely 
>convinced that the message was in fact from me.

Pardon me, but what was the point of that last comment?  It is an obvious
statement of fact that yes, IF IF IF somebody had a secret key AND password,
he could duplicate a signature.  

Digital signatures allow a person to exclude others from being able to sign
messages as if they are from him.  True, a person could simply publish his
secret key and password, at which point everyone could sign notes as if they
came from him, but that wouldn't be "interesting" because most people would
have no reason to do so.

>Signing with PGP is just not a solution.

It is, apparently, in the vast majority of possible situations.  Why would
you even try to disagree?

Oh, yes, I forgot... you're Detweiler.


 






Thread