1995-11-30 - Re: key for Alice as promised (not)

Header Data

From: anonymous-remailer@shell.portal.com
To: cypherpunks@toad.com
Message Hash: ced8b2f616b180520fdcb36f89f5ed2a12e0d839b7f48913777c81ffa4ec9c87
Message ID: <199511300232.SAA22068@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1995-11-30 03:01:06 UTC
Raw Date: Thu, 30 Nov 1995 11:01:06 +0800

Raw message

From: anonymous-remailer@shell.portal.com
Date: Thu, 30 Nov 1995 11:01:06 +0800
To: cypherpunks@toad.com
Subject: Re: key for Alice as promised (not)
Message-ID: <199511300232.SAA22068@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


On Wed, 29 Nov 1995, Adam Shostack wrote:

> > PGP is really not the issue.  The issue is more my security and the
> > environment that I use PGP in.  I don't have a trusted machine to run PGP
> > on.  Anyone who wants to can come up to machine and copy my secret keyring
> > or they can even watch me typing my password in. 
> 
> 	Threat, please??  Do people often stand over your shoulder as
> you type?

Yes.

>  Enter your office, 

Yep, especially my night cleaning staff.

> point guns at you, 

Not recently ... I'd co-operate fully in that situation, though.

> and take a backup of your entire computer?  

You mean like the on-site backups that I have in the filing cabinet 
beside me, or the off-site backups that aren't here (in case of fire, or 
such) nd are completely outside my control?

> Have you considered putting the secret keyring
> on a floppy and locking it in your desk/safe when you're not actually
> in the office? (Or home..)

Yep, I've considerred it.  It's still not all that helpful.  Cleaning 
staff has plenty of time when I'm not around to deal with that.

> > So, I don't fool myself, and I don't use PGP, except for things like
> > exchanging a one-time pad with someone when I've already sent the message
> > out across another delivery mechanism, like on a floppy delivered my
> > courier. 
> 
> 	I don't follow.  You're claiming that PGP is good enough to
> transfer OTPads, but not good enough to sign pseudononymous messages?

Sure. Two different situations.

If I take a message or a data tape and encrypt it with a one time pad.  

And then I send the message out to someone via Greyhound or DHL.

And once they've confirmed that they have the encrypted message safely in 
hand, then I'll call them and ask them to call me with their public key
delivered by voice via telephone.

Which I then use to encrypt the one-time-pad, using the PGP key only once.

Then, I'm comfortable sending it (not the message, but the pad) over the 
Internet encrypted with PGP.  And I think at that point, I have Pretty 
Good Privacy.

> Adam
> 
> -- 
> "It is seldom that liberty of any kind is lost all at once."



Alice de 'nonymous ...

                                  ...just another one of those...


P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.






Thread