From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 6 Nov 1995 00:19:20 +0800
To: James Black <black@eng.usf.edu>
Subject: Re: using PGP only for digital signatures
In-Reply-To: <Pine.SUN.3.91.951104155911.2413A-100000@fourier>
Message-ID: <199511051611.LAA08586@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



James Black writes:
>   I am in a discussion (during the week) with a system administrator 
> about seeing if we can just make PGP publically available to everyone, 
> but now the discussion seems to be to just allow PGP to do digital 
> signatures, and I don't think that is the best choice, then.  They are 
> not against PGP being used, but there are legal issues as to whether they 
> can offer it to everyone, as some students are international students, 
> and are not allowed to use the version for the US, or so I have been 
> informed, so now I need to see if we can have the international version, 
> so these students can use it. :(

Actually, nothing in the ITAR says foreigners can't USE the
U.S. version of PGP, just that you can't give them the software.

However, I think it is a bad idea to make PGP available on a multiuser
computer. It encourages a very, very bad habit -- that of using PGP on
a multiuser computer....

> What they are trying to do is make certain that no 
> one can send a message to anyone, claim to be in the faculty, and cause 
> problems that way.

But since you are using this software on a multiuser computer over
likely insecure lines, or, even worse, over an insecure LAN, all you
are going to do is make things even stickier when someone steals a key
and starts pretending to be some faculty member anyway.

Don't use public key software on untrusted hardware over insecure
links. Its a BAD BAD BAD thing.

Perry