1995-11-30 - Re: key for Alice as promised (not) (fwd)

Header Data

From: Adam Shostack <adam@lighthouse.homeport.org>
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Message Hash: d0f049e72bbf2c5c3e40efc667a7a5938ffbec3e9183ee115e51b140c30a2881
Message ID: <199511300318.WAA16662@homeport.org>
Reply To: N/A
UTC Datetime: 1995-11-30 03:55:38 UTC
Raw Date: Thu, 30 Nov 1995 11:55:38 +0800

Raw message

From: Adam Shostack <adam@lighthouse.homeport.org>
Date: Thu, 30 Nov 1995 11:55:38 +0800
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: Re: key for Alice as promised (not) (fwd)
Message-ID: <199511300318.WAA16662@homeport.org>
MIME-Version: 1.0
Content-Type: text


>On Wed, 29 Nov 1995, Adam Shostack wrote:
>
>> > PGP is really not the issue.  The issue is more my security and the
>> > environment that I use PGP in.  I don't have a trusted machine to run PGP
>> 	Threat, please??  Do people often stand over your shoulder as
>> you type?
>
>Yes.

And you can't ask them to leave, as you send anonymous messages?  Or
does your whole office know your one of those who post to cypherpunks
as Alice d' nonymouys?

>> Have you considered putting the secret keyring
>> on a floppy and locking it in your desk/safe when you're not actually
>> in the office? (Or home..)
>
>Yep, I've considerred it.  It's still not all that helpful.  Cleaning 
>staff has plenty of time when I'm not around to deal with that.

	Of course, if the cleaning staff cut your safe open, you have
a good indication of that in the morning.

	Not that you've demonstrated that the level of effort to do
all of this at all equates to what is gained, namely, the ability to
impersonate you.  Which everyone in the world has today.

>> > So, I don't fool myself, and I don't use PGP, except for things like
>> > exchanging a one-time pad with someone when I've already sent the message
>> > out across another delivery mechanism, like on a floppy delivered my
>> > courier. 
>> 
>> 	I don't follow.  You're claiming that PGP is good enough to
>> transfer OTPads, but not good enough to sign pseudononymous messages?
>
>Sure. Two different situations.

[...]

>And once they've confirmed that they have the encrypted message safely in 
>hand, then I'll call them and ask them to call me with their public key
>delivered by voice via telephone.

>Which I then use to encrypt the one-time-pad, using the PGP key only once.
>
>Then, I'm comfortable sending it (not the message, but the pad) over the 
>Internet encrypted with PGP.  And I think at that point, I have Pretty 
>Good Privacy.

	Of course, then your message only has 128 bits of security,
because the Greyhound or DHL employee could be easily comprimised, as
could the message in their office.  So you encrypt the pad with IDEA,
getting you IDEA level security, and think you're working with one
time pads??

	I'm flabbergasted.






Thread