On Wed, 29 Nov 1995, Adam Shostack wrote:
PGP is really not the issue. The issue is more my security and the environment that I use PGP in. I don't have a trusted machine to run PGP Threat, please?? Do people often stand over your shoulder as you type?
Yes.
And you can't ask them to leave, as you send anonymous messages? Or does your whole office know your one of those who post to cypherpunks as Alice d' nonymouys?
Have you considered putting the secret keyring on a floppy and locking it in your desk/safe when you're not actually in the office? (Or home..)
Yep, I've considerred it. It's still not all that helpful. Cleaning staff has plenty of time when I'm not around to deal with that.
Of course, if the cleaning staff cut your safe open, you have a good indication of that in the morning. Not that you've demonstrated that the level of effort to do all of this at all equates to what is gained, namely, the ability to impersonate you. Which everyone in the world has today.
So, I don't fool myself, and I don't use PGP, except for things like exchanging a one-time pad with someone when I've already sent the message out across another delivery mechanism, like on a floppy delivered my courier.
I don't follow. You're claiming that PGP is good enough to transfer OTPads, but not good enough to sign pseudononymous messages?
Sure. Two different situations.
[...]
And once they've confirmed that they have the encrypted message safely in hand, then I'll call them and ask them to call me with their public key delivered by voice via telephone.
Which I then use to encrypt the one-time-pad, using the PGP key only once.
Then, I'm comfortable sending it (not the message, but the pad) over the Internet encrypted with PGP. And I think at that point, I have Pretty Good Privacy.
Of course, then your message only has 128 bits of security, because the Greyhound or DHL employee could be easily comprimised, as could the message in their office. So you encrypt the pad with IDEA, getting you IDEA level security, and think you're working with one time pads?? I'm flabbergasted.