From: Mix <mixmaster@remail.obscura.com>
Date: Sun, 2 Nov 1997 09:10:11 +0800
To: cypherpunks@cyberpass.net
Subject: Re: cute.
Message-ID: <199711020051.QAA23884@sirius.infonex.com>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

Amad3us wrote:
>Matthew Nuckolls says
>> What's the point in distribuing your public key through the same
>> channels as a signature? Kinda defeats the purpose. 
>
>The purpose is to create a persistent nym.  The signature, and public
>key ensures that you know that this message is from the same person
>as you were attempting to nit pick :-]

It has been my experience that it is more fun to operate a persistent
identity than to post unsigned and unverifiable messages.

Providing the key is at least a convenience for people who don't have
it already - it saved me a trip to the key server.

>> I can't verify that the given public key is indeed yours, since
>> you're anonymous.
>
>True.  So it's only as good as the keys you might fetch from a
>keyserver that you have no connection to in the web of trust.
>
>You aren't supposed to link it to my True Name.
>
>All that can be done is to get a signature from a timestamp server,
>and a signature from Bill Stewart's nym key signing service.

What would be really nice is if the mailing list machines time stamped
messages.

There was a discussion a little while ago suggesting that toad.com had
been compromised by people who were sowing dissension by partially
distributing certain messages.  Had toad signed all of its messages,
it would be possible to obtain evidence supporting this hypothesis
without relying entirely on the word of people we may not know.

Had somebody compromised toad, they would still have to correctly sign
messages.  Later it would have been possible to prove this had
occurred by comparing messages and signatures.

This would also prevent an attack where somebody forges mail from a
cypherpunks list machine to flush out identities.  If the attacker
sends a unique message to every person, he or she will be able to
break an identity if the message is replied to on the list.

>This is important because it prevents someone else from generating more
>keys with the same userID, such as happened with Tim May's blacknet key.
>The only protection I have against that is the public record of my key
>being posted to cypherpunks.  The http://infinity.nus.sg/cypherpunks/
>archive helps as a public record of first publishing of a key with this
>userID.

I'm not sure a timestamp matters that much for "authenticating" your
key.  After all, you don't own "Amad3us", you own key 0x4D162BBE1.

If another "Amad3us" shows up, what matters if their string of posts
are worth reading, not whether they borrowed your handle.

It would cause confusion, but since the cypherpunks are so good at
slinging bits, we should be able to handle this.  It might even have
an advantage: reporters and secret police types will have a harder
time dealing with the cypherpunks without adopting some of our
technology and ideas and sharing them with others.

Monty Cantsin
Editor in Chief
Smile Magazine
http://www.neoism.org/squares/smile_index.html
http://www.neoism.org/squares/cantsin_10.htm

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBNFu/fZaWtjSmRH/5AQGSdAf8DdZj05c4/WS/V9YF/o1lZ9W7/5vGlTDf
mvU8nFPNT4TB9eha7UW/Ub2xaUI4TneBrWrIwXTeEqo1slUbzmShneeUoUlKMEho
+PlrA8NjQhh/QRwMXsVUp4vtoV3oDUbCTRLE8PWIikC7Rpo92UocujfFhsey3Ewu
/SCA/TrkjVO8efeR4H6GOBnVWd/+4YigLPtZhP6QzlKjf3Soq5OJNfVlHA3ci+3a
UgbM+IQ/OTTkXMVbya60veWrN6/Njo/66D0EyUuHB5/bUHkFIjnWaz1DSG8g0vJq
XfFNOusz9Dkrhz0gearv/fbRb93GxXRejTK/Jo9sMJta8pWAm4d1Yg==
=5Loi
-----END PGP SIGNATURE-----