Re: "You aren't following the _rules_!"
-----BEGIN PGP SIGNED MESSAGE----- Tim wrote:
I have little means of solving the Netcom-Macintosh-elm-Eudora issues, and I don't see others solving them especially cleanly or usably, so I expect that the "sign your messages or else" dictum would have a predictable result, for me.
I don't want to restart the "If the output wont work on a stack of Hollister cards the system sucks" thread, but Tim is here, as he is most of the time, right. After two years, we still have not made it much simpler to integrate PGP/whatever into a mixed OS environment.
And isn't it up to the _readers_ to decide if they don't want to read my messages because they think I'm not being diligent enought, or because my messages appear to be forged?
Few readers on this list would think that Tim is not dilligent enough. A forged message would not be able to fool us for long. The problems is that is no simple way to integrate PGP with the many newsreaders, mailers, etc., that are being used on the net. This is unlikely to change until there is a new, acceptable, RFC for mail that implements digital signatures and encyption (if desired) without user intervention.
Isn't end-user choice the core of the Cypherpunk ethos?
Yes, choice is what Cypherpunks are (I hope) about. Choice through crypto. Unless crypto spreads we will face ever reduced choice. Crypto will not spread unless there is a demand. Most people, including one of (the?) leading thinker(s) of the group on the net that most supports cryptography believe that the added security and privacy that cryptography provides are not worth typing a few commands or clicking a few buttons. I myself rarely, if ever, sign my post. If WE don't even use crypto ourselves, who do you think else uses it and who do you think will therfore care if the government chooses to outlaw it? We don't have a motivation to use crypto. We all realize that there is really no need to encrypt/sign the vast majority of the stuff we are sending. There may be the occasional message that we will encrypt and we are well aware that we encrypt that message for the very reasons that the powers-that-be want to see encryption outlawed. There are no better tools for integration of crypto today, because there has been no need. The few times you actually need crypto you can punch the commands "by hand". I do not mean to belittle the work that has been done, but unless the encryption is built into the mailer and using a remailer means clicking the "use X remailer(s)" button, and the mailer better know which ones are working and do the PGP envelopes, it won't happen. Hell, I have been on this list for two years and today I decided against posting that updater everyone was begging for to USENET because I didn't want to spend the 15 minutes it would take me to look up the address of a mail-to-usenet gateway, find out which remailers are working, binhex the thing, and past it into the remailer interface. Yes, I know the 3 or 4 URL's it would take to do all that. Suppose the world will have to wait until that computer makers's FTP site is up again. <No, I don't see anything wrong with posting software that is available via FTP to USENET. Flames -> /dev/null> We are stuck: No need -> no development of tools -> no spreading of crypto beyond the "hard core" -> no public resitance when crypto becomes illegal. So how can we prevent crypto from becomming illegal? Just follow the above chain backwards. Create a need. Create mailing lists that require signed messages. Create ftpsites that require signed uploads or whatever. Require the use of crypto. Not to partake in some involuntary interaction with the government (that will happen without out help), but for some voluntary interactions between people on the net. Sending mail to cypherpunks is such a voluntary interaction. Requiring it here just might result in better tools in the long run. Just an idea, if it sounds like garbage, forget about it. - -Lucky, who wouldn't think of signing this post and only does it to show that requiring it for posting just might get people to do it. -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBLtrswASQkem38rwFAQFZ0AQAixcrK7wNFJzisuA3v8FefURUt05NYj23 AyJw9TVoyWuo4gdDiao1/3dC43ZIgVSvTTGXKZ8cy5a4YcFyMLMEKumNfyn7FM/l PLzcOYXfCWp2/KlfY4cQs4nlUEDvheiTmgXE+2VRle00WHwL+ctm/Tx1i/mxD3BS 7Zo79IIOQyg= =ZSOT -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- I have to apologize for the length of this piece. It's almost 3 in the morning, and I've spent far too much time writing it. It's just that my "rant buttons" are pushed by an argument I'll call the "crypto isn't being used by enough people, so we'll have to make our own lives harder to set an example" argument. Some would call it the Self Flagellation Argument. There's a larger issue, of why crypto is not being used in the way some of us think it _should_ be being used. Why no digital cash? Why no common use of digital signatures in the business world? Why isn't everybody (or anybody?) time-stamping their lab notebooks and song lyrics? Why, why, why? I've developed some views on this. Some have come from watching my nanotechnology friends exhorting the world to develop nanotech, some have come from my 20 years in high tech, watching the "gotta succeed" technologies get bypassed (remember holographic memories? Integrated Injection Logic? laser pantography? aptical foddering? artificial intelligence?). And on the "self-flagellation" front, I participated in well-intentioned experiments on other mailing lists, in which it was hoped that certain desired evolutionary outcomes be "facillitated" by list rules and regulations....how they failed is another topic. And of course I've devoted several hours a day to this list for more than two years. A lot of stuff to draw some conclusions from. So, here it is. Not a polished essay, but as polished as it's likely to ever get. Lucky Green wrote:
I don't want to restart the "If the output wont work on a stack of Hollister cards the system sucks" thread, but Tim is here, as he is most of the time, right. After two years, we still have not made it much simpler to integrate PGP/whatever into a mixed OS environment.
The issue that keeps coming up is a familiar one to economists: is the success of a product determined by the "push" of customer demands for such products or by the "pull" of available technology? Did customers demand the microprocessor or did companies like Intel demonstrate a technology and thus pull customers in? (The possible subject of much debate. Examples on both sides. An exercise: which model does the Web/Mosaic combination fit? As it relates here, there seem to be two main camps: 1. The Pushers. Those who believe that encryption and related technologies (digital cash being the most obvious) will "succeed" (become popular, profitable, etc.) when there is *customer demand* for it. Some purpose, some economic gain, or some recreational benefit. 2. The Pullers. Those who believe that these technologies will success because they are so compelling as to pull customers in. Orthogonal to these are the camps regarding how to *proselytize* crypto: A. The Preachers. Spread the word, educate the masses. Make crypto necessary to access information. (Whether for the Pushers or the Pullers, the Preachers believe that the key to the success of crypto lies in _convincing_ others to use it.) B. The Pragmatists. Whether pushed or pulled, crypto will happen when it happens. When the time is right--technologically, economically, and socially, perhaps--crypto will find its uses. (I could, as as my wont, write more on each of these. But I'll resist the urge.) The graphically-oriented may imagine this as a map. With ranges of beliefs. Various of you fall into various places on this map. Some argue that lawyers should relocate to the Caribbean tax havens to "service" Cypherpunk needs (no insult intended to the proposer of this scheme, but this a classic "2A"--the Preacher-Puller. Also known as the "If you build it, they will come" view.). Others argue that Cypherpunks should "practice what they preach" at all times (not surprisingly, a trait of the Preacher). Well, I think you can see where I'm headed. I happen to believe that strong crypto, of the sort I am interested in (though not necessarily using/advocating/proselytizing for), will become common at some time in the next decade or so: - when markets have arisen which can make use of, for example, digital cash. (This could be next year, with NetCash or VisaBits...it's always hard to predict exact markets.) - when the current protocol problems which make all of this crypto stuff so _complicated_ to use ("To spend a DigiDime, first create a client on a 4.3BSD-compliant server...."). - when other interesting technical problems well known to us--such as issues about double spending, revocation, etc.--are better solved. (Yes, I am saying that we are probably a couple of years too early...the Crypto conferences are still generating new results. Perhaps someone will pull it off, but it is by no means obvious that all the pieces are ready to go.) - and of course when everyone is just a little bit better net-connected, when e-mail is more robust, when agent technology is more mature, etc. So, I guess this makes me a "Pragmatist." No point in preaching. (And before a smart aleck claims that my presence on the list, and my posts, and my FAQ, etc., makes me a "Preacher," think about it. Once can be interested in an area, want to see it become a reality, without being a Preacher. The microprocessor happened for a variety of reasons...proselytizing was not one of the main reasons.) As to Pusher or Puller, I'm in both camps. Certain market needs--in areas like online commerce, Web publishing, even money laundering--will push the existing technology "from the bottom up." Thus, brain-damaged "electronic purse" schemes will be broken, will need to be fixed, and so folks like Chaum and Brands will license their results, consult, etc. This is how most products evolve, kind of haphazardly (in the sense that previous history exerts a strong influence...the reptilian brain in us, etc.). At the same time, the purer technologies--such as DC-Nets and other abstract ideas--will pull from the top. (It can be argued that the two are really the same, displaced in time. Thus, yesterday's exotic technology that "pulled" is today's "pusher" tool. Digital signatures, for example.) I'm all for exploring, for folks going off and doing their thing, and for trying to commercialize ideas. (The joke that the only people who've made money on crypto are the book publishers is not far from the truth. RSA Data has, despite its obvious situation, never paid a dime to its early investors (so says Alan Alcorn, inventor of "Pong" and an early investor in RSADSI). Zimmermann sure hasn't. I assume Cylink, Crypto AG, and some of the others have some profits, or at least not continuing losses, but none of them are powerhouses.) The Glorious Crypto Revolution may happen. In fact, I'll bet on it. But the precise form is unknown. And it won't happen because a bunch of people decided to "prove the technology" by sending DigiFranques to each other in a toy market. (The HEx market on Extropians showed the failure of this...as have some experiments here.) And it won't happen because we all sign our messages, any more than wearing secret decoder rings ushers in a new political regime. (I'm much more interested in ensuring that signing of messages, or encryption of them, cannot practicably be outlawed than I am in "spreading the word." If having lots of folks using crypto makes a ban less likely or less enforceable, then of course I hope more people use crypto. But this is not the same as saying we should all be "setting an example" and thereby _cause_ this widespread use. Or so it seems to me.)
We are stuck: No need -> no development of tools -> no spreading of crypto beyond the "hard core" -> no public resitance when crypto becomes illegal.
Push and Pull, Preachers and Pragmatism. Find the "Killer App" that people want, and there you are. Web/Mosaic is the current killer app. (And ironic that so many people preached the wonders of hypertext and Xanadu...including several people on this list (and I agreed with them, by the way)...but nothing of significance happened until the WWW and browsers ignited the phenomenal explosion of the past two years.) And if you can't just "think up" the killer app, find an area of deep interest and focus on that _for the pleasure of it_ (and for the profit of it). Somebody who, as an example, can apply agent technology to crypto, may find himself in the thick of things in 1998. I guess I'm reacting to the pervasive mood of "We've got to *do* something!!" that keeps coming up. I'm skeptical, because of the push/pull points, and because a bunch of scattered, part-time workers who rarely meet, who are all going in different directions, etc., is not exactly a team likely to build a new product. (In nearly every case I can think of where a significant technology or product was developed, some kind of focus was needed. Usually geographic, and usually economic ("Finish this or you're fired," to put it bluntly). (Some may cite the PGP 2.x effort as a good example of Net collaboration. I wasn't in on it, but in talking to some of those who've worked on it, my impression is that the focus was still there. Provided by Phil, and by the _existence_ of PGP 1.0, an examplar that could then be added to, worked on, etc. Remailers are a kind of equivalent.) In any case, the notion that a bunch of us--students, dabblers, activists, engineers, etc.--can somehow create a finished product, or a company, as some folks periodically try to argue for ("Let's do a company!"), is not too likely. (I was going to say "is crazy," but some may think I'm already being insulting enough. Believe me, my intent is not to insult any of us.) Crypto is happening. In bits and pieces. As is to be expected. But then, I'm a pragmatist. --Tim May -----BEGIN PGP SIGNATURE----- Version: 2.7 f99TVoyWuo4gdDiao1/3dC43ZIgVSvTTGXKZ8cy5a4YcFyMLMEKumNfyn7FM/l49 y0CVAgUBLtrswASQkem38rwFAQFZ0AQAixcrK7wNFJzisuA3v8FefURUt05NYj23 2lJw9TVoyWuo4gdDiao1/3dC43ZIgVSvTTGXKZ8cy5a4YcFyMLMEKumNfyn7FM/l PMzcOYXfCseehoweasilytheserequiredsigscouldbespoofed?3858H3w2NlC 3Zo79IIOQyg= =ZSOT -----END PGP SIGNATURE----- -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
From: tcmay@netcom.com (Timothy C. May) It's just that my "rant buttons" are pushed by an argument I'll call the "crypto isn't being used by enough people, so we'll have to make our own lives harder to set an example" argument. Let me review the exact proposal. First, a recognizer is set up at toad.com to distinguish between digitally signed and unsigned messages. Second, some action on the message would be taken, which would gradually increase in effect over time. The first action would be to add a header to the end of the mail identifying it as unsigned. A later action would be to delay the mail at the server for some amount of time. A final action would be to delete or bounce messages that weren't signed. I note that Tim is not objecting to the nature of these effects, but rather their existence, especially since he is not addressing the timing of any ramped up vigor at the server. Just to set the record straight, refusing messages would be at the very least over year away, and certainly wouldn't be taken until crypto mail readers were widely available. For purposes of discussion then, I leave out message deletion and only address the server actions of notification and delay. One underlying premise of Tim's argument is that the presence of these actions at the server makes his life harder. In what way? The server will not require a digital signature. Unsigned messages will still be sent to the list. There need be no change in the way that one sends and receives mail. I refuse the argument that toad.com server actions make anybody's life harder. I'm not saying that these server actions would have no effect, far from it. The effects are all in the social realm and have far more to do with peer pressure and social position than with technology. Can it be said that being marked as a non-signer makes one's life harder? I think not, perhaps others feel otherwise. I do, however, agree with the other two premises of Tim's hypothetical. I do think that crypto isn't being used by enough people. I realize that the exact meaning of 'enough' is subjective, so let me rephrase. I do think that crypto is being used by fewer people than I want. I also believe that setting an example is a good thing, because it signals an achievable task to those who are considering doing it. When I first proposed server actions last year, it was with the full realization that I wouldn't be signing my own posts and would thereby be subject to the delay (the first-proposed action). This post isn't signed either. Eric
Right now there is no market for crypto on the net because then net is not yet real life. You cannot make money one the net, net reputations do not count in jobs, academic or otherwise. When real life moves onto the net, there will be plenty of demand for crypto. And as I said before, first you need a user interface that even the chairman of the board can use. First we get that user interface up for other things, then for crypto. Do crypto first, no one will buy it. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd@acm.org
Eric Hughes wrote:
Let me review the exact proposal. First, a recognizer is set up at toad.com to distinguish between digitally signed and unsigned messages. Second, some action on the message would be taken, which would gradually increase in effect over time. The first action would be to add a header to the end of the mail identifying it as unsigned. A later action would be to delay the mail at the server for some amount of time. A final action would be to delete or bounce messages that weren't signed.
As "all crypto is economics," the question is "why?" Why delay/bounce messages that don't fit someone's idea of proper usage? Not to trivialize this proposal by frivolously insulting it, but consider a mailing list that decided to delay/bounce any messages that were not written in TeX, or in Acrobat, or whatever. How would people react who lacked these capabilities, or preferred to use alternatives (like simple unadorned text), or who merely object to an enforced standard? If there's a good reason, fine. Or if the "owner" chooses to set arbitrary policies, fine. "My house, my rules" and all that. I don't want to open the pointless debate about who "owns" the list. I'm relatively happy with the way things are: John Gilmore owns the toad machine and lets us use the CPU, etc., Hugh Daniel performs various maintenance actions on toad, and Eric Hughes is the de facto chief operator of the list. But that Eric--or John or Hugh or anyone else--has some notions of what people _ought_ to be using does not seem to be enough to effectively bar those who helped form the Cypherpunks group (many of us) just because they choose to communicate in one particular way. If some flavor of PGP is mandated, I expect I'll unsubscribe (as I can't stand reading but not posting...lurkers obvious feel otherwise). Absent a compelling reason, a market reason, why bother with someone's notion of ideological reasons? If people feel my unsigned messages are ideologically incorrect, they can not read my stuff.
I note that Tim is not objecting to the nature of these effects, but rather their existence, especially since he is not addressing the timing of any ramped up vigor at the server. Just to set the record straight, refusing messages would be at the very least over year away, and certainly wouldn't be taken until crypto mail readers were widely available. For purposes of discussion then, I leave out message deletion and only address the server actions of notification and delay.
I didn't address the timing because it's not the main issue. I agree that a year-long delay would lessen the effects, but it's still unwise to let ideology interfere with communication. (For example, if I ran the list, instead of Eric, perhaps I'd insist that all posts be paid for in digital cash...or bought, or whatever. Lots of folks would be justifiably concerned that my ideology was getting in the way of letting folks communicate as they see fit.) (Like I've said, anyone who doesn't want to read unsigned posts is perfectly free to filter out unsigned messages.)
One underlying premise of Tim's argument is that the presence of these actions at the server makes his life harder.
In what way? The server will not require a digital signature. Unsigned messages will still be sent to the list. There need be no change in the way that one sends and receives mail.
What about the *bounce* plan? If my posts get bounced, that'd qualify as making my life harder. Or so it seems to me.
I refuse the argument that toad.com server actions make anybody's life harder.
I can imagine many such actions that would make many people's lives harder. A requirement to post in TeX, a stipulation that all posts use a certain format, academic rules for footnoting, etc. All of these sorts of "rules" can and do make lives harder. (I'm grappling with specific format requirements for a paper to be published in a French publication. Such format requirements have their advantages, and I don't dispute the right of the French publishers to impose them, but they undisputably make the lives of authors harder.)
I'm not saying that these server actions would have no effect, far from it. The effects are all in the social realm and have far more to do with peer pressure and social position than with technology. Can it be said that being marked as a non-signer makes one's life harder? I think not, perhaps others feel otherwise.
Again, I thought the proposal was to ultimately reject non-signed articles? That's a bit more that merely "being marked as a non-signer." Speaking of this, it's already pretty clear who signs and who doesn't. What could be clearer than "----BEGIN PGP SIGNED MESSAGE---"? Why is anything further needed? If the proposal is to stamp a scarlet letter on non-signers, it seems overly harsh, somewhat petty, kind of insulting, and not needed. Cypherpunks can clearly see who signs, who doesn't, and can decide what they wish to do with messages. I don't wish to sound angry, as I'm not, really. This is a fascinating issue unto itself, worthy of discussion. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
Let me be REAL clear about this. The immediate proposal is to mark and possibly delay unsigned messages to the list. The proposal does NOT include bouncing messages or preventing use. These options are acknowledged as possibilities for the future. They are not on the table right now. I, unlike the gov't, will warn you of your impending doom. From: tcmay@netcom.com (Timothy C. May) Not to trivialize this proposal by frivolously insulting it, but consider a mailing list that decided to delay/bounce any messages that were not written in TeX, or in Acrobat, or whatever. I don't think you are frivolously insulting it, but I do think you are ignoring the basic distinction I made about the difference between measures which prevent use and measures which do not. The use of the syntax "delay/bounce" denies exactly this distinction. [...] to delay/bounce any messages that were not written in TeX, or in Acrobat, or whatever. How would people react who lacked these capabilities, or preferred to use alternatives (like simple unadorned text), or who merely object to an enforced standard? I have two answers, one for delay, the other for bounce. 1. For delay or other non-preclusive measures, those who do not use the valorized feature can still use the list. They get signalled in some fashion that use of the valorized feature is desired. I consider this primarily a communication mechanism. I wish to communicate to everyone one the list that using digital signatures is something that I want everyone to do. In particular, that means that you, the current reader of this message, are one of the people I want to use digital signatures. Rhetoric is not as effective as a policy embedded in software that people interact with. Doing is more effective than hearing. 2. For bouncing or other preclusive measures, those who do not use the valorized feature can't participate in the discussion. This would in many situations be counterproductive, but in others, say, an experimental group discussing design in Acrobat, absolutely vital. As this is not germane to the actual proposal, I leave off here. But that Eric [...] has some notions of what people _ought_ to be using does not seem to be enough to effectively bar those who helped form the Cypherpunks group (many of us) just because they choose to communicate in one particular way. I want you, Tim May, to use digital signatures. There, that's explicit and verbal. I do understand if your software doesn't cooperate. I've been there. I'm not (to repeat) talking about a proposal to eliminate you from the list. Does a mark or a delay constitute an "effective bar" from participation on this list? I think not, although I'm entertaining arguments. If some flavor of PGP is mandated, I expect I'll unsubscribe (as I can't stand reading but not posting...lurkers obvious feel otherwise). Whoa! We went from an effective bar to an actual prevention there. That's not what I'm talking about. And I'm not tied to PGP by any means. You want to make a digital signature with some other piece of software? Fine. I'll add it right in. Absent a compelling reason, a market reason, why bother with someone's notion of ideological reasons? I'm not a libertarian (neither big L nor small l), and I don't find an identity between compelling reasons and market reasons, as apposition implies. The implementation of function at the server is a communication between me, Eric Hughes, the implementor of that nasty shit, and you, the participant in the cypherpunks list, that I want you to use digital signatures. Now, because of my position as de facto list maintainer, I can do this and you can't. I've got the bully pulpit, and while I've not used it much, I am beginning want to spend some it on urging crypto deployment and usage. Not all is lost for erstwhile communicators. One could write a filter to look for unsigned posts and pipe them off through a suitably hacked 'vacation' filter which would send them a missive (but not too often) encouraging the use of cryptography and which would include pointers to software. This kind of communication is similar in form but not in scope to what I've proposed for the list. In fact, if someone were to bundle this kit up, I suspect it might receive fairly wide use. [...] perhaps I'd insist that all posts be paid for in digital cash...or bought, or whatever. You hypothetical includes an insistence. Mine does not. Again, I thought the proposal was to ultimately reject non-signed articles? There's a very explicit disclaimer to contrary in the original. To paraphrase, it acknowledged the possibility of rejection but removed it from immediate consideration. Speaking of this, it's already pretty clear who signs and who doesn't. What could be clearer than "----BEGIN PGP SIGNED MESSAGE---"? What about random headers with things like: X-Signature: none X-Warning: Cryptography Non-User X-Heckle: Yo! Too _good_ to use crypto? X-Lazy: Jeez, Eric's even got a Unix box at home and _still_ isn't signing? X-Bozo: God, Tim's been on this list for over two years and he still doesn't sign his posts? X-Traitor-To-The-Cause: <insert From: field contents here> X-Cryptography-Impaired-And-Proud: [For the satire impaired, note the use of the phrase "satire impaired" at the beginning of this sentence.] If the proposal is to stamp a scarlet letter on non-signers, it seems overly harsh, somewhat petty, kind of insulting, and not needed. A scarlet letter is a reasonable apt analogy, except the intent is not to create outcasts. Harsh? I still fail to see that. Petty? What trivial mattr is being blown out of proportion? Insulting? I'm sure some people can take it that way. Not needed? Perhaps not, but I may _want_ it. Eric
From Eric: Does a mark or a delay constitute an "effective bar" from participation on this list? I think not, although I'm entertaining arguments. A mark? No. A delay? Yes. Delays hurt the readers more than the posters, and help make discussions even more incoherent than usual, a bad thing for everybody IMHO. Marking is cool; validating and including a validation mark [yes/no] is even better. Forget the delay idea; it seems to me to hurt things more than it would help, and punishes the wrong people. No amount of coercion (at least no amount that I anticipate now) would get me to use digital signatures on my outgoing mail, until it gets substantially easier for me. It is hard enough to keep up with this list as it is. -- <dat@ebt.com> (david taffs)
-----BEGIN PGP SIGNED MESSAGE----- In article <199411300734.XAA10429@largo.remailer.net>, you wrote:
Let me be REAL clear about this. The immediate proposal is to mark and possibly delay unsigned messages to the list.
In my view, delaying unsigned messages is only moderately better than dropping them. It punishes users for having non-crypto-friendly email setups (and makes things somewhat more confusing for other list readers, even the ones who sign their messages).
From: tcmay@netcom.com (Timothy C. May)
Not to trivialize this proposal by frivolously insulting it, but consider a mailing list that decided to delay/bounce any messages that were not written in TeX, or in Acrobat, or whatever.
I don't think you are frivolously insulting it, but I do think you are ignoring the basic distinction I made about the difference between measures which prevent use and measures which do not. The use of the syntax "delay/bounce" denies exactly this distinction.
Yes, but you are denying the way in which delaying, like bouncing, actively interferes with the timely forwarding of non-signers' messages, while merely marking them is a more passive form of harrassment. Yes, there is a distinction between delaying and bouncing. There is also a distinction between battery and homicide. You keep insisting that delaying unsigned messages does not interfere with non-signers' abilities to participate in the discussion. I say you are wrong. It's a positive hindrance. It punishes people for circumstances that may well be beyond their control. It's a bad idea. You maintain the list, you can do what you want. As you can plainly see (Tim's right on this one), I sign my posts to the list, and my posts would get the favored treatment. No one can stop you; but if you do something that makes valued contributors take a walk, you wouldn't be doing the list any favors. (Are you going to make sure that all the signatures are valid, or will you accept someone sticking a PGP signature into their .sig and using it over and over?) | In the other room I passed by Ellen Leverenz as Alan Bostick | someone asked her "Do you know any monopole abostick@netcom.com | jokes?" finger for PGP public key | "Sure," she said. "In fact, I know two of them." Key fingerprint: | -- Terry Carr, GILGAMESH 50 22 FB 46 41 A3 17 9D F7 33 FF E1 4E 1C 89 79 +legal_kludge=off -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AgUBLt1TQeVevBgtmhnpAQEHRgMAolHcawJ0g9KuZ3NI4DzeyNMJilO3wq/6 ABPmZiXGjxAxNXPiO1I3D9ZgjBYmglJiSo/mjfT0EyqA3UWDq801/4HegO7+3g8w xvhDa2KKvLi1iwO205rVPIIZ6pAfWupF =UYbe -----END PGP SIGNATURE-----
From: abostick@netcom.com (Alan Bostick) Yes, but you are denying the way in which delaying, like bouncing, actively interferes with the timely forwarding of non-signers' messages, while merely marking them is a more passive form of harrassment. A delay for one minute (assuming notice for the delay) is hardly different than notification only. A delay for a month is hardly different than a bounce. Not all delays are the same. They cannot be analyzed as a single category but are better analyzed with respect to the characteristic time scales of the discussion. You keep insisting that delaying unsigned messages does not interfere with non-signers' abilities to participate in the discussion. I say you are wrong. It's a positive hindrance. This is statement is true for large delays and false for small ones. The interesting issue to me is where a boundary might lie. (Are you going to make sure that all the signatures are valid, or will you accept someone sticking a PGP signature into their .sig and using it over and over?) At first, it would just be a recognizer for syntax, but at both ends. A second effort might actually hash the message but not bother with the signature itself. The second effort would require almost all the processing involved in a real signature and require the same architecture. It would not, however, be subject to the key distribution problem that I don't want to make a prerequisite. It occurs to me that a format with just a hash might be generally useful against random data corruption, and not just a workaround hack. Eric
-----BEGIN PGP SIGNED MESSAGE----- Deletia...
Most people, including one of (the?) leading thinker(s) of the group on the net that most supports cryptography believe that the added security and privacy that cryptography provides are not worth typing a few commands or clicking a few buttons. I myself rarely, if ever, sign my post. If WE don't even use crypto ourselves, who do you think else uses it and who do you think will therfore care if the government chooses to outlaw it?
I've noticed this and always thought it quite strange.
We don't have a motivation to use crypto. We all realize that there is really no need to encrypt/sign the vast majority of the stuff we are sending. There may be the occasional message that we will encrypt and we are well aware that we encrypt that message for the very reasons that the powers-that-be want to see encryption outlawed.
Yes there is...I recent got my fanny pulled out of the fire because I sign ALL of my messages. Someone spoofed me on one of my accounts. I never got the full details, but I screamed VERY loudly to the powers "WAS THE MESSAGE SIGNED WITH MY DIGITAL SIGNATURE." The answer was "NO." My reply was "It couldn't be me, because my software automatically signs all of my posts...If I were you I would look at your logs to see who hacked the message." I never heard another word. Granted this wasn't a really big deal, but it does illustrate the power of digital signatures. It got them to at least look at their logs, which probably wouldn't have happened otherwise. (Even though that SHOULD have been the first place they looked.) More deletions...
There are no better tools for integration of crypto today, because there has been no need. The few times you actually need crypto you can punch the commands "by hand".
I'm basically a lazy S.O.B. when I first got my shell account I made sure that my provider had uqwk installed because: a. I wanted to use AUTOPGP to sign all of my messages automatically because I had been burned several times before on forgeries. As more people get burned, the demand for digital signatures will go up. This was my initial motivation for installing PGP. The encryption angle came later. We might learn something from AUTOPGP. Instead of focusing on making every reader compatible with encryption, why not focus on making a semi-universal pre-processor and post-processor for them. Hit the lowest common denominator. Another interesting concept would be for providers to make signatures mandatory. While you wouldn't be forced to sign your messages, you would be responsible for any message bearing your name if your software wasn't set up for signing. Deletion...
We are stuck: No need -> no development of tools -> no spreading of crypto beyond the "hard core" -> no public resitance when crypto becomes illegal.
So how can we prevent crypto from becomming illegal? Just follow the above chain backwards. Create a need. Create mailing lists that require signed messages. Create ftpsites that require signed uploads or whatever. Require the use of crypto. Not to partake in some involuntary interaction with the government (that will happen without out help), but for some voluntary interactions between people on the net. Sending mail to cypherpunks is such a voluntary interaction. Requiring it here just might result in better tools in the long run. Just an idea, if it sounds like garbage, forget about it.
I agree with you Lucky, we have to create a demand. We also have to make it easy enough for people to implement. There is definitely a stigma attached to encryption though. Some of you may remember my post a while back about looking for a place to set up a mailing list, this will demonstrate some of the forces involved. A while back I came up with an idea, "Why not set up a public mailing list to distribute PGP Keys." After mulling it over for a while I decided to do it. I also came up with the idea of subscribing alt.key-dist to it and also subscribing a keyserver to it. One stop shopping...post your key to the list and it makes it to all interested parties. A universal venue for distributing PGP keys. No system administrator involvement needed, instead of having to rely on them carrying alt.key-dist, which isn't on a lot of systems. I went to several providers about setting up the list. (BTW - Thank You L. McCarthy for your efforts!!!) Everything was great until they found out what the list was for. After that "Sorry, we can't do it." or they wanted to charge an exorbitant price for the list. The moral: A lot of system administrators do not want encrypted messages, because they fear that they are responsible for the content. While they won't kill encrypted messages they won't help propagate the technology either. BTW - I'm still LISTLESS. (I couldn't resist the pun) Sam (Who ALWAYS signs his messages) ============================================================================== One was never married, and that's his hell; another is, and that's his plague. - Robert Burton, 1651 ============================================================================== skaplin@skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key@four11.com for PGP Key or | Finger skaplin@mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtsg6gpnimeWAf3FAQH/BwP5AWqVCjtaa7RWjRtImKoTIwoof3FVQVPs Q1BqI/XAte92YWTiJqi06CWHxyL3lojuQSjY5a4d1reepBfydjI3QVypOQZtXyaM MKeXmJJQwqW+oKU1SV0v5DGIVIqZRqT86uxZBTYs0UsdewUtET8MUTY/6CgPhgBQ XCJIO3xxOsY= =CX+D -----END PGP SIGNATURE-----
Well, knowing the US, things will probably hobble along much the same, until there's a lawsuit. e.g. X sues Y because a post on the net 'apparently' from Y libelled X. Now *that* would get people to start using digsigs! Ed -- Ed Wilkinson emw@ima.com IMA Ltd Internet Email Gateways
From: Ed Wilkinson <emw@ima.com> Date: Tue, 29 Nov 94 21:32:16 HKT Well, knowing the US, things will probably hobble along much the same, until there's a lawsuit. e.g. X sues Y because a post on the net 'apparently' from Y libelled X. Now *that* would get people to start using digsigs! Hmmm. So, lets see. Since I'm someone who (almost) always signs my outgoing mail/posts, if I make a libelous statement to a newsgroup and `forget' to sign it, then I'm safer from litigation than people who never sign? Personally, I hope that when the first libel suit of this form actually makes it to trial, the defense makes a point of showing just how easy it is to spoof mail and postings, i. e. just how difficult the burden of proof is. On the other hand, I'm scared by the prospect that the first trial where it's an issue is a tax or drug forfeiture case where the burden of proof is on the defendent. Rick
Ed Wilkinson wrote:
Well, knowing the US, things will probably hobble along much the same, until there's a lawsuit. e.g. X sues Y because a post on the net 'apparently' from Y libelled X. Now *that* would get people to start using digsigs!
Quite so. By analogy, the *safe* industry (vaults, not the modern thing) evolved by _insurers_ charging higher rates for weaker safes. This directly, in the present, incentivized a merchant to invest in a better safe. He didn't need to be _persuaded_ by the 1894 "Safepunks" mailing list that better safes were a good thing. In other words, we're at an early, immature stage of crypto. Yes, really. I agree that some well-publicized events could accelerate the use of crypto, could galvanize improvements in user interface, etc.: - a lawsuit such as Ed Wilkinson mentioned (a nit: from my understanding of burdern of proof, the burden would lie on X to prove that Y libelled him, not on Y to prove that he didn't write the material). - evidence of massive corporate espionage could accelerate a conversion to an "encrypt everything" mode. - a patent dispute that gets settled because of time-stamping of lab notebooks...this would make "Electronic Lab Books" de rigeur. (Budding entrepreneurs may want to keep this in mind.) -- and so on. Crypto is mostly about economics, as we often say (esp. Eric H.). Costs of encryption, decryption, breaking of ciphers, deployment of digital cash, etc. Right now there are few _good economic reasons_ to use digital cash in lieu of real cash or Visa-type payments. Maybe this'll change (I think it will, someday), but for now... All of these things are related. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
-----BEGIN PGP SIGNED MESSAGE----- In article <3ymskKjqR8A3073yn@skypoint.com>, skaplin@skypoint.com (Samuel Kaplin) wrote:
I'm basically a lazy S.O.B. when I first got my shell account I made sure that my provider had uqwk installed because:
a. I wanted to use AUTOPGP to sign all of my messages automatically because I had been burned several times before on forgeries.
Thats just it....I can't speak for Tim's setup but in DOS you have a couple of mailreaders (YARN and PGPBLU) that make signing and encrytion of messages a snap, assuming you can run some sort of SOUP/QWK routine to pull your mail. Then, sign OR encrypt whatever you need offline and u/l it back into the system. Hell, I even use YARN to push encrypted & chained messages through the remailer system, and it works like a charm. Since I can't see anyone maintaining their secret keys online (unless they consider the sysadmins ULTRA trustworthy), offline processing of messages is the path to follow. Simple, VERY quick and easy to implement with a couple of keystrokes. Offline mail processing fits the criteria needed to nudge digital signatures and encryption overall into the mainstream, due to its speed and ease of use (ie not having to leave the mailreader program to use PGP). Keeping the use of signing/encrypting to one step is what makes it work. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLts9W6+YbMzawbu5AQGL0QQAoxnElG0jtYH0394Kv75wfJK3k1OvyEW5 aiV5YN+bfTLy/2VqAflCv84cCKeokJ1q0Yima5/uoFB9aDCk43YerlUEa862mNeo UJZ90F/MRyLACEyXlSZSj92/VH7HcjSNV9cL/K5FdjywmQMUHGHfOc5+3XqC84zb h6BLWl7/xPI= =KbxQ -----END PGP SIGNATURE-----
participants (10)
-
abostick@netcom.com -
David Taffs -
emw@ima.com -
eric@remailer.net -
jamesd@netcom.com -
Rick Busdiecker -
shamrock@netcom.com -
skaplin@skypoint.com -
tcmay@netcom.com -
werewolf@io.org