-----BEGIN PGP SIGNED MESSAGE----- In article <2h9gen$55r@uudell.us.dell.com> you write:
From owner-cypherpunks@toad.com Sat Jan 15 19:33:39 1994 From: VACCINIA@UNCVX1.OIT.UNC.EDU Subject: Using the tools we have To: cypherpunks@toad.com -----BEGIN PGP SIGNED MESSAGE-----
The detman has been blathering for weeks about how he will subvert the list and we now see all sorts of rants impugning the reputations of certain cypherpunks. Postings are reiterated with the message that so and so said this or that and this person is a nazi, or some such drivel. I have no idea who said what because many of the technowizards don't avail themselves of the technology which they themselves have made available and promote as a powerful new tool for the future. Positive reputations? Without an electronic sig, you don't have one. Future? It's here. If even we don't use the available tools, then they are indeed worthless.
One usefull thing that could be done, is to design a list, that will only post pgp-signed messages. To subscribe to the list, you send your pgp public key, and it sends back its private key. In order to for a recieved message to get sent out, it must be signed by the author. In order to make anonymous posting possible a person would need to create a "anonymous" key, with the anonymous remailer address in it. The annonymous account would still have to sign the messages so and identity could be track through this method. In order to prevent some kinds of abuses, the list server could send a password back to you encrypted with the private key you sent it. You would have to send it the password back encrypted with the server's public key. This would verify that the key was created by a particular users at a specific site. (OK, it would be possible to subvert this, but it is significantly more difficult.) The person that runs the list server can sign the list server's key to vouch for the listserver. For added security you could do something even better. The list server only posts messages that are "trusted" at a specified level, or it adds a trust factor to the message. If the list maintainer has met you and has signed his key, the list server will believe you are real. With the web of trust and introducers, the list server will quickly be able to identify most of the people on the list as being real or "pseudo". In particular this will cut down on the number of forgeries posted to the list. There are some technical problems with this, due to the hassel of signing and or encrypting the messages. Lack of anonyminity, etc. This could even convince most SANE people that there is no conspiracy, i.e. someone you trust to act as an introducer, believes that the other person you are talking with is real. Of course if there really is a conspiracy it doesn't really help. One of the things I've been thinking about recently, is about excerpt of messages and signatures. When you reply to a message and copy part of it there is nothing that prevents someone from editing the text. And of course the digitial signature is not longer valid because of the >'s or other characters in the body, plus you probably don't want to quote the whole message. Duplicating the entire message to prove that two or three lines were actually writen by a particular user id, is pretty wasteful. I suppose someone could write a signing program that signs each line idividually, but that does not sound like a good idea either. A 128bit hash would eat nearly 10% of each line. The hashes can be signed in the signature section at the end. After rereading some of Schneir book, it looks like you can't generate a MD5 hash for less than 64 bytes. You would need to pad lines or generate a hash for every two lines. It would still require some fancy software to handle the extracts and preserve the signature information. Currently most peoples software doesn't even easily support normal PGP/RSA signatures, much less anything so fancy. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLThtW3NeM/yj7Ik1AQEWgAQAh5tqTP1YvTQy09GhqlX85tkt8yH55Lz1 TRcZA5mJ8k9OXqgVLwkIHVUPViX+m+iSLuLR+QWbgUV04uPS/V8wzrnDNWRKvkQE qmYR3ZSr3agouXQygmFMtPgHzQpkzHNxV6rVSM6Wq7hEj/2lga7+lptHRW9Zy0tC SLL+0C6Jcpc= =rKLG -----END PGP SIGNATURE----- -- Jeremy Porter ----------------- Systems Enginneering ---- Dell Computer Corp. --- jerry@terminus.us.dell.com -------- ------------------------------------------------------------ Support your Second Amendment rights to encryption technology.