On Sun, 3 Sep 1995 Cybie@cris.com wrote:
Before you do it, make sure your ISP doesn't mind you telneting to port 25. VCU's computer dept. doesn't take to kindly to it. They're worried about people sending forged e-mail. (I was tempted to tell the guy when I got caught doing it that they should put a copy of PGP online for folks to use. But I just wanted my account re-instated.)
CMU's systems, for instance, are nice enough to explicitly warn you 'Mis-identifying the sender is an abuse of computing resources.' on their machines' port 25. I take this to imply that they don't take kindly to such use of their machines by students or non-students...but what they would do to a non-CMU student is not clear. Come to think of it, would there be legal issues involved in forging e-mail addresses? Can one have a reasonable expectation of identity in ordinary e-mail? Probably not. How about mail authenticated with PGP, RIPEM, Notes, or a similar system? We've seen key certification by VeriSign, among others...and, if we assume a certification structure which requires checking the True Name of the person, then we have a link between the key and the identity. All well and good. If we add key escrow to this certification structure, or require a True Name for *all* keys, then one could have 'identity escrow'...a situation in which pseudonymous keys can be created and distributed with certification that they really belong to a (presumably unique) True Name. In the example of a bank with anonymous officers, their identities might be held by another organization(oversight committee, industry certification authority, etc.), and revealed in the event of an investigation. Doesn't VeriSign already sign 'Personality Certificates'(sorry if not the right term) for pseudonymous IDs? Obviously, setting and enforcing limits on keys per person, should that be desirable, could be difficult. In the simplest case of one verified key and identity per person, an entity who can satisfy the verification process multiple times can be issued multiple keys. If there are a number of independent Certification Authorities, and assuming they don't cross-check, one could get as many keys as there are CAs. Lag time between, say, the Dhahran, Saudi Arabia office of the CA and the rest of the structure might also allow for two or more keys at once. There's probably a dozen different ways to fool a CA or group of CAs. Unfortunately, they're likely to be so difficult, and the penalties severe enough(e.g. permanent revocation of all keys with a particular CA), that few will use them. I wonder if this sort of "feature" is already on tap for a Government Certification Authority in the U.S.. If pseudonymity is offered at all(perhaps as a sort of compromise), it seems reasonable that any State-sponsored CA would insist on identity escrow. The next logical step, of course, would be to subordinate, discredit, or outlaw other CAs, in order to minimize the 'possibility' of 'evil criminals' using the 'national information infrastructure' for 'nefarious acts of impersonation'. Web-of-trust would probably still be legal. It would be absurdity to even attempt to outlaw it, as one would hope the example of PGP has shown. One might as well outlaw gossip. Unfortunately, web-of-trust is rarely as extensive(at least for me) than a full-blown certification hierarchy. It is certainly more work. In effect, the State would reserve to itself the ability to certify keys on a large scale, on its terms. Scary. On the other hand, it could also make for some very interesting situations...such as a pseudonymous identity, accredited by the State, able to participate in elections, enter into binding contracts, and telecommute to work. Again, making sure no one registers and votes twice might be a bit of work. Perhaps down the line, such an identity could run for office. The line 'I'm With Stupid' takes on a whole new meaning... David Molnar P.S. Andrew L : Yes, I'm the same person you knew in Houston! Have you received the mail I sent you? -Haynow