Auto-pgp for pine/elm/tin (fwd)
In Garfinkel's book, he talks about the risks of running PGP on a multiuser system where others (sys. admins, eg) have higher levels of authority than you do. I have PGP installed on my pc and if I want to use it, I can save the message in ascii, then upload it to the server where I have my Internet account, then mail it. maybe not entirely transparent, but at least it seems to me that the convenience of running it on the server with something like Mr. Wilcox's BAP is not worth the added risk. Besides, how often do you need to use it? -- pjp ---------- Forwarded message ---------- Date: Fri, 25 Aug 1995 12:03:52 -0400 (EDT) From: Henry W. Farkas <hfarkas@ims.advantis.com> To: cypherpunks@toad.com Subject: Auto-pgp for pine/elm/tin -----BEGIN PGP SIGNED MESSAGE-----
Does anyone know of an addon to the Pine mailer that supports PGP? the only PGP software i could find required me to first compose a letter in an editor then run it through a pgp signature program then finally read it into my favorite mailer.
I'm looking for something that is hopefully transparent, or if not relatively quick to do. ________________________________________________________________________ Sameer Manek Seawolf@challenger.atc.fhda.edu ________________________________________________________________________
- ------------------------------------------------------------------------ Yes, it exists, and I'm using it now. I've tried competing products and found this to be the cleanest, smoothest and easiest to install. I have no personal, commercial or financial interest in this product. It does "auto-pgp" for pine, elm and tin. *********************************************************************** * BAP v.1.01 * * Written August 1995 by Bryce Wilcox * * e-mail: <bryce.wilcox@colorado.edu> * * PGP key id: <617C6DB9> * * snail mail: <2228 Canyon Blvd, Apt. 1E, Boulder, CO, 80302> * * URL: <http://cs.colorado.edu/~wilcoxb/home.html> * * BETA TEST VERSION! DO NOT DISTRIBUTE! * * (Note that documentation, among other things, is still unfinished.) * *********************************************************************** I also found the author responsive to my comments and suggestions. Just please do *-NOT-* put your pass phrase in a cleartext file! - ------------------------------------------------------------------------ =========================================================================== Henry W. Farkas | Me? Speak for IBM? Fat chance. hfarkas@ims.advantis.com |------------------------------------------------ hfarkas@vnet.ibm.com | http://newstand.ims.advantis.com/henry henry@nhcc.com | http://www.nhcc.com/~henry - --------------------------------------------------------------------------- PGP 6.2.2 Key fingerprint: AA D0 F5 44 C1 8C 11 52 B3 80 34 1C CE 38 EC 53 Public key at: pgp-public-keys@pgp.mit.edu, and other popular key servers. - --------------------------------------------------------------------------- Brought to you by Henry's Hardware: Home of the Pretty Good Hack "We're not fast, but it's not bad, and we're cheaper than the guy down the street!" =========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMD30WaDthkLkvrK9AQF6sQP/fVen7ZI4DbgC14y+NPdZYOjaRQ9/jQNT d4StD638OoBRkO7b8efiTd/rNULwuzSPKDiplKwRdE8Bboh4FdSWYvz6wfqgNJcd D3imouQcEt+erjEC2H5haQyZwBHeNNR9mTYhkzoBt4+jMqsRCECduaExyHUOTWFj euOkRqTJ0l4= =2q74 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
I have PGP installed on my pc and if I want to use it, I can save the message in ascii, then upload it to the server where I have my Internet account, then mail it.
I use PGP on every outgoing message and about 20% of incoming messages. And I send/receive a *lot* of messages. No way I would be able to do a process like the above on my mail. In a few weeks I will be able to get mail on my home computer, but most (80%?) Internet users will still not have that luxury.
maybe not entirely transparent, but at least it seems to me that the convenience of running it on the server with something like Mr. Wilcox's BAP is not worth the added risk.
In my opinion it *is* worth the risk. I believe that having "BEGIN PGP SIGNED MESSAGE" in your posts and e-mail is a social good (raising public awareness of/acceptance of PGP) which is more important than actually protecting my e-mail from spying/forgery.
Besides, how often do you need to use it?
Public awareness/acceptance, traffic analysis, the "electronic envelope" analogy... If you don't use it, it's not doing any good at all. Regards, Bryce signatures follow: + public key on keyservers /. island Life in a chaos sea or via finger 0x617c6db9 / bryce.wilcox@colorado.edu ---* -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMD6C7/WZSllhfG25AQFQ7gP9EX48Bw6mZ5WJYR+4j78oPUL7++Irz39i b6EbU8ZWUia1AEqSVLmKibIE4JOBejZKzSCCF4OrE7j+BCT1B5hLbIrUZzNNHDQk pXbfLo51FyIsR4SlCYtWdsMUiAI08ACOAAxtab/3uC2DEO7UB/9A+xALPGNFQWdz oRnku9NOOY0= =0uru -----END PGP SIGNATURE-----
On Fri, 25 Aug 1995, Bryce Wilcox wrote:
-----BEGIN PGP SIGNED MESSAGE-----
I have PGP installed on my pc and if I want to use it, I can save the message in ascii, then upload it to the server where I have my Internet account, then mail it.
I use PGP on every outgoing message and about 20% of incoming messages. And I send/receive a *lot* of messages. No way I would be able to do a process like the above on my mail.
In a few weeks I will be able to get mail on my home computer, but most (80%?) Internet users will still not have that luxury.
Is that assumption based on the fact that most inet users are using shell accounts? Using a PPP or SLIP dialup and managing your mail locally using POP is pretty easy. Clients like Private Idaho and PGPclip then make the PGP transition painless. Here at USIS, we have 305 entries in the password file. Subtract 10 entries for system accounts (root, news, majordomo, bin, etc) Now of the entries left 80 are PPP, 48 SLIP. There are shell accounts for each slip/ppp user, thus we have 39 people left over who are shell only. So, 70% of our users have the ability to locally manage and pgp encrypt mail. Now that winblows 95 is out and ppp dialup into the i-net is point and gruntable, I expect this disparity to worsen. Why learn icky unix commands when you can follow some simple instructions and have ras up and running ppp in 10 minutes? Since people will _already_ be using windows mail interfaces, the transition to PGP wil be quick and painless. Hell, I hear the latest version of Eudora has it integrated. David Neal <dneal@usis.com> - GNU Planet Aerospace 1-800-PLN-8-GNU Unix, Sybase and Networking consultant. "...you have a personal responsibility to be pro-active in the defense of your own civil liberties." - S. McCandlish
-----BEGIN PGP SIGNED MESSAGE----- On Fri, 25 Aug 1995, P.J. Ponder wrote:
Date: Fri, 25 Aug 1995 21:52:47 +0100 From: P.J. Ponder <ponder@wane-leon-mail.scri.fsu.edu> To: hfarkas@ims.advantis.com Cc: cypherpunks@toad.com Subject: Auto-pgp for pine/elm/tin (fwd)
In Garfinkel's book, he talks about the risks of running PGP on a multiuser system where others (sys. admins, eg) have higher levels of authority than you do. I have PGP installed on my pc and if I want to use it, I can save the message in ascii, then upload it to the server where I have my Internet account, then mail it. maybe not entirely transparent, but at least it seems to me that the convenience of running it on the server with something like Mr. Wilcox's BAP is not worth the added risk. Besides, how often do you need to use it? -- pjp
the risks etc of using pgp on a multiuser platforms are well known. i'd say it's better to have a pgp signed mesg than an unsigned one. if you post a lot, or mail a lot, that's a lot of mesgs to sign. finding a tool to do this more easily than using pgp through the shell interface is 'a good thing'. given that, here are some args for signing on a multiuser platform. often, people (me included) choose to use a separate 'weak' key for these purposes. it's always nice to have some sort of indication that that is what the key is for. i had a key with 'INSECURE KEY!!' tagged on the end of my userid. i had another for secure communications. now, you can't stop some sysop type person from doing whatever to you. that's the way it goes. but, if you've got a really malicious sysop, they could just spoof you to the world, including making up a key supposedly from you. if they posted enough crap using that key people would begin to think that they are really you or that one of you is lying and to hell with both of you. this sort of denial of service attack is an unlikely event (unlikely for a sysop to do - someone else is a diff matter). finally, independent of multiuser platforms, the signing utilities are quite useful for people like me who have their own personal unix box on the net. - -pjf patrick finerty = zinc@zifi.genetics.utah.edu = pfinerty@nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp@zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMD6GjE3Qo/lG0AH5AQHazAP/ToRRiftaXDspBAnECzoM1ZexhqKb8Ou/ uxSljS/w3h9yz7+j6bJIbak1CI2JFrTneyj6jKsW/2wCV/p65F+5dvD2a2VUCJ6u +93zmFHiMS0XhCl3lLutKKlcrZkXC1P1qvY7ozFYoJ5PQ7rqQGfoxUuPisGJ5gJm XH/kkQSIuis= =VpN7 -----END PGP SIGNATURE-----
participants (4)
-
Bryce Wilcox -
David Neal -
P.J. Ponder -
zinc