-----BEGIN PGP SIGNED MESSAGE----- On Fri, 25 Aug 1995, P.J. Ponder wrote:
Date: Fri, 25 Aug 1995 21:52:47 +0100 From: P.J. Ponder <ponder@wane-leon-mail.scri.fsu.edu> To: hfarkas@ims.advantis.com Cc: cypherpunks@toad.com Subject: Auto-pgp for pine/elm/tin (fwd)
In Garfinkel's book, he talks about the risks of running PGP on a multiuser system where others (sys. admins, eg) have higher levels of authority than you do. I have PGP installed on my pc and if I want to use it, I can save the message in ascii, then upload it to the server where I have my Internet account, then mail it. maybe not entirely transparent, but at least it seems to me that the convenience of running it on the server with something like Mr. Wilcox's BAP is not worth the added risk. Besides, how often do you need to use it? -- pjp
the risks etc of using pgp on a multiuser platforms are well known. i'd say it's better to have a pgp signed mesg than an unsigned one. if you post a lot, or mail a lot, that's a lot of mesgs to sign. finding a tool to do this more easily than using pgp through the shell interface is 'a good thing'. given that, here are some args for signing on a multiuser platform. often, people (me included) choose to use a separate 'weak' key for these purposes. it's always nice to have some sort of indication that that is what the key is for. i had a key with 'INSECURE KEY!!' tagged on the end of my userid. i had another for secure communications. now, you can't stop some sysop type person from doing whatever to you. that's the way it goes. but, if you've got a really malicious sysop, they could just spoof you to the world, including making up a key supposedly from you. if they posted enough crap using that key people would begin to think that they are really you or that one of you is lying and to hell with both of you. this sort of denial of service attack is an unlikely event (unlikely for a sysop to do - someone else is a diff matter). finally, independent of multiuser platforms, the signing utilities are quite useful for people like me who have their own personal unix box on the net. - -pjf patrick finerty = zinc@zifi.genetics.utah.edu = pfinerty@nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp@zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMD6GjE3Qo/lG0AH5AQHazAP/ToRRiftaXDspBAnECzoM1ZexhqKb8Ou/ uxSljS/w3h9yz7+j6bJIbak1CI2JFrTneyj6jKsW/2wCV/p65F+5dvD2a2VUCJ6u +93zmFHiMS0XhCl3lLutKKlcrZkXC1P1qvY7ozFYoJ5PQ7rqQGfoxUuPisGJ5gJm XH/kkQSIuis= =VpN7 -----END PGP SIGNATURE-----