1996-03-02 - Re: PGP to PC mail integration

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: Mike Ingle <inglem@adnetsol.com>
Message Hash: 909d631e600a5776686e97d0595a03caee2fb2eb0e8fd132998ee1e0cc38e8b5
Message ID: <199602290844.AAA03839@ix4.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1996-03-02 10:12:44 UTC
Raw Date: Sat, 2 Mar 1996 18:12:44 +0800

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 2 Mar 1996 18:12:44 +0800
To: Mike Ingle <inglem@adnetsol.com>
Subject: Re: PGP to PC mail integration
Message-ID: <199602290844.AAA03839@ix4.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 12:18 AM 2/28/96 -0800, Mike Ingle <inglem@adnetsol.com>
suggested setting up a VB program on localhost to proxy POP and SMTP requests
for PGP, rather than hitting it from the user interface.
>Once this is set up, the user burden is near zero, and it works with
>any winsock-based mail program. What do you think of the idea?

It'd probably be pretty convenient for incoming, though you need to build
some mechanism for displaying the PGP output for signatures (since PGP
gives you the contents of the signed material when you check the sig.).
One interesting security problem is how to distinguish between the message
your PGP bot drops in your mailbox containing the message and an indication that
the signature is good from a message that someone carefully constructed
that _looks_ identical but includes its _own_ indication that the
(possibly bad) signature is good.

For outgoing mail, you'd either have to sign everything, which may be good,
or have a way to tell it the proxy whether or not to sign the mail,
and you'd either need to hand it your passphrase each time or take the 
security risk of leaving an autosigner hanging around listening on a port,
just _waiting_ for somebody to lie about where they're connecting from
and get your bot to sign arbitrary things.....  There are also minor issues
if you use multiple keys, which most people probably should.

Interfaces between VB and PGP262 are a bit crude - Private Idaho is a good
example.
The problem is that PGP262 is a DOS program, so you need to POP up a DOS window
to run it in, and then make the window go away.  PI does that just fine,
but it's a bit ugly to watch; it's much cleaner with ViaCrypt's
Windows-based PGP.
PGP 3.0 will simplify this, since you'll be able to use PGP as a library
instead of a hauling up DOS to run it in.

#--
#				Thanks;  Bill
# Bill Stewart, stewarts@ix.netcom.com / billstewart@attmail.com +1-415-442-2215
# http://www.idiom.com/~wcs     Pager +1-408-787-1281






Thread