From: “Mark M.” <markm@voicenet.com>
To: “David F. Ogren” <ogren@cris.com>
Message Hash: 8be32aa499cc1ed51598efd4eba20ef28fef69f3d473ee387825c10ada162e59
Message ID: <Pine.LNX.3.94.960702230424.178A-100000@gak>
Reply To: <199607022343.TAA21050@darius.cris.com>
UTC Datetime: 1996-07-03 06:40:31 UTC
Raw Date: Wed, 3 Jul 1996 14:40:31 +0800
From: "Mark M." <markm@voicenet.com>
Date: Wed, 3 Jul 1996 14:40:31 +0800
To: "David F. Ogren" <ogren@cris.com>
Subject: Re: Lack of PGP signatures
In-Reply-To: <199607022343.TAA21050@darius.cris.com>
Message-ID: <Pine.LNX.3.94.960702230424.178A-100000@gak>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 2 Jul 1996, David F. Ogren wrote:
> I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr.
> Atkins) do not seem to PGP clearsign their messages to this list. In fact,
> a surprisingly small percentage of messages on the C-punk list are signed.
> This despite the fact that the average subscriber is at least literate in
> PGP.
>
> Does anybody have any speculation on why this is?
>
> Is it because people consider mundane mail unimportant enough to sign?
This is one reason. I think that there are several other reasons:
-- Someone may be using a machine at work or on a multiuser UNIX system which
is untrusted and insecure. In the case of a UNIX account, one could
compose a message off-line and rz it using a term program, but that is a
major hassle.
-- Many email programs do not have support for PGP so signing a message often
requires a lot of cutting and pasting.
-- PGP may not work on the computer a person is using for Internet access or
the system might be too slow to use PGP.
>
> Is it because the members of this list are more concerned with encryption
> than authentication?
I think they are both equally important. The point of public-key cryptography
is the ability to communicate with a person without having a secure channel to
exchange keys. Once keys can be transmitted using the same medium used for the
encrypted traffic, it makes a MITM or denial-of-service attack much easier.
There has to be some out-of-band method to authenticate keys. Without
authentication, a lot of the security that could be gained by using PK crypto
is lost.
>
> Is it because most mail programs are not PGP aware?
I don't know of any mail programs that can use PGP (I know there are various
interfaces, sendmail wrappers, and other hacks, but I have yet to see a mailer
with an "Encrypt" or "Sign" option.
>
> Is it because of the weaknesses in MD5?
Doubtful. PGP authentication is better than no authentication.
- -- Mark
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
markm@voicenet.com | finger -l for PGP key 0xe3bf2169
http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348
"Freedom is the freedom to say that two plus two make four. If that
is granted, all else follows." --George Orwell, _1984_
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv
iQCVAwUBMdnnBLZc+sv5siulAQEIpAP/WesfBknwJeUnNIZzYtLkJkqR7hMu2jYz
9migOABikpYDwe0H8Dfn34ff3bab5xncoJ7M8l0HmvrISMjeFp9DpKXT0yJ0rk7a
HymHCGyGpJXjQ+snbLoyEQbB4DzcE+BjihSM2upmIMhQbH3paEagc41VwL+udfVA
EsWUux6Yato=
=8SiH
-----END PGP SIGNATURE-----
Return to July 1996
Return to “Rich Graves <llurch@networking.stanford.edu>”