From: Charlie Comsec <comsec@nym.alias.net>
Date: Wed, 17 Dec 1997 00:48:45 +0800
To: cypherpunks@toad.com
Subject: Re: UCENET II and Peter duh Silva
In-Reply-To: <66iaur$foc$1@chronicle.austx.tandem.com>
Message-ID: <19971216164009.23206.qmail@nym.alias.net>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

Information Security <The@NSA.sucks> wrote:

> :   While that's technically true, it's even more true of non-anonymous e-mail
> :   addresses.  Usenet posts are much easier to forge than PGP signatures, and
> :   it's quite simple to sign up for a throwaway e-mail account under an assumed
> :   name.  It's not very secure from a privacy standpoint, but it's even less
> :   secure from a "positive ID" POV.
> :  
> :   At least with a PGP-signed anonymous post, readers are alerted up front that
> :   they are reading the work of an author who is withholding his/her identity.
> :   But if you read a post from "john_smith@hotmail.com", is it really someone
> :   named "John Smith" or not?
>    
> I'm not following this...anyone can generate PGP keys, and digital signatures
> are not necessary to indentify an account...

Sure, anyone can generate a PGP key.  It's almost as easy as generating a
throwaway e-mail address.  And what does posting from a certain e-mail address
or signing one's post with a certain PGP key prove?  It proves that the poster
KNEW a certain piece of INFORMATION, either an account password or a PGP
secret key.  It's usually inferred that the person who possesses that
information is the person who generated it.  Of the two, guessing a PGP
secret key is orders of magnitude harder than guessing someone's password,
logging on, and impersonating them.

In addition, PGP signing is "portable".  No matter where I post from, if I
sign my post with the same key, you can assume it's me who posted it.  It's 
more difficult to do that with an e-mail address.  Let's say that you have a
common name like "John Smith" and you post as jsmith@someisp.com.  Are you
saying that's your "identity"?  What if Someisp, Inc. suddenly files for
bankruptcy and shuts down without warning?  Did you lose your identity?

You could open a new account as "jsmith" somewhere else and claim you are
the same person who previously posted as jsmith@someisp.com, but so could
anyone else who desired to impersonate you.  If you were signing your posts
with a PGP key, then all you'd have to do is make a post from your new ISP,
sign it with the same key, and your "identity" is "transferred".

- ---
Finger <comsec@nym.alias.net> for PGP public key (Key ID=19BE8B0D)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBNJahmQbp0h8ZvosNAQEqmAf+IG/gtP4flSv/RPP7530NuD5MeMgH8WGo
75E/o+3GkN5Ksl0hL0bdpUhDvqeHnwsdc2xO5j0UEzqIZGKapa1YvJGK0wrUU/FB
UrUzcrHkvtXAdJD8GRTaA/Xgzjh2eJGOImzaIHbPOZBa4MPxYm7bEZaroHR2G2IP
AkNFbJzBETP9nLmePupRSqmhN8GwC5BLRLjkXLDDXJ/9s04vNoBGUEsv4aA0iRad
cdkHjHSs9FfOOTJPPG+GdDA+Z1LuyjnugcoTfYPtsu7PwgWE/tAxOCVPI6sHrhze
I1a4KZSVn1AoNd0ii7Mcw4Fp73SUcuZ74+EJovToOyBu++bqZdOYsA==
=jF0X
-----END PGP SIGNATURE-----