re:using PGP only for digital signatures
At 04:12 PM 11/4/95 -0500, James Black <black@eng.usf.edu> wrote:
Hello, I am in a discussion (during the week) with a system administrator about seeing if we can just make PGP publically available to everyone, but now the discussion seems to be to just allow PGP to do digital signatures, and I don't think that is the best choice, then. They are not against PGP being used, but there are legal issues as to whether they can offer it to everyone, as some students are international students, and are not allowed to use the version for the US, or so I have been informed, so now I need to see if we can have the international version, so these students can use it. :( Is there any good programs (for the Unix, SunOS) that just does digital signature encryption? What they are trying to do is make certain that no one can send a message to anyone, claim to be in the faculty, and cause problems that way. My position is just a student programmer, but I am trying to learn as much as I can, to answer questions and deal with problems.
Yeah, there's RIPEM-SIG, which is approved for export so you can even give it to your non-Yankee students, and it's compatible with the RIPEM secure email stuff. So your US students, and anyone else who wants to download the software from England, can send secure email, and everybody can check the signatures. I'm not sure if RIPEM-SIG has caught up with the features in the latest versions of RIPEM, which include an X.509 variant on Web of Trust. Somebody else has brought up the insecurity of using security software on multi-user machines, where the system administrator or anybody who cracks root can steal your passphrases and even replace the trustable software with trojan-horse versions; your students will be safer if they only trust stuff running on PCs from software they've verified themselves. But you can at least do signature-checking safely on a multi-user machine if the software is protected adequately. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #---
Hello, On Mon, 6 Nov 1995, Bill Stewart wrote:
At 04:12 PM 11/4/95 -0500, James Black <black@eng.usf.edu> wrote:
Somebody else has brought up the insecurity of using security software on multi-user machines, where the system administrator or anybody who cracks root can steal your passphrases and even replace the trustable software with trojan-horse versions; your students will be safer if they only trust stuff running on PCs from software they've verified themselves. But you can at least do signature-checking safely on a multi-user machine if the software is protected adequately.
I brought up the security issue with the administrator that I am talking with, about the implementation of PGP as it looks like it will go through all the hurdles. The last difficulty is that we have a student that has an account here, but he is actually overseas (so we will have two copies of PGP, and he will use the international one, not the US one). The security issue is important. Part of that is that most users use dumb terminals, so any programs ran will be done on remote servers. My solution (until I get a better idea) is to just write a mail program that can check the hash value (I think that is the term) of the PGP executable, compare it against the one that it created originally and use it, only if they are the same. The user can also request the number, and write it down for his own personal comparisons. The program will also automatically encrypt, if it finds the public key on the user's keyring, or the universities keyring. I will now check on how secure the LAN network is, as I am a student and I want to know that the system is safe. She (the administrator) felt that if it is safe against people getting into accounts it should be safe, but if I my signature is on a document, then people will believe that it is from me (until I state otherwise), and that could be more damaging than getting into my account. Well, I am looking into the security side, since the legal issues are pretty much done with (IMOHO). If anyone has any brilliant ideas as to how to run PGP on a multi-user network utilitizing dumb terminals so it can be transparent I am interested in options. Well, take care and have fun, and I will look for RIPEM (I think that was the name) and see if that will be adequate, at the moment. James Black black@suntan.eng.usf.edu
participants (2)
-
Bill Stewart -
James Black