Alice here ... Sorry to follow up on my own post, but I made a boo boo. A real, big boo boo. On Wed, 29 Nov 1995 anonymous-remailer@shell.portal.com wrote:

On Wed, 29 Nov 1995, Adam Shostack wrote:

...

I don't follow. You're claiming that PGP is good enough to transfer OTPads, but not good enough to sign pseudononymous messages?

Sure. Two different situations.

If I take a message or a data tape and encrypt it with a one time pad.

And then I send the message out to someone via Greyhound or DHL.

And once they've confirmed that they have the encrypted message safely in hand, then I'll call them and ask them to call me with their public key delivered by voice via telephone.

Actually, I made a big mistake here. It's not good enough for me to call them. Usually I have them first call me, and then I call them back. I learned to do this in real-estate when I had my property management company. Very often, someone would call the office, and say something along the lines of "This is Constable Acheson, from the Calgary City Police. Could you please tell me the forwarding address of your former tenant, Alice" (or Bob, or whatever). My standard response always was to ask for whoever identified himself as "Constable Acheson" to provide his division. Then I'd hang up, check the number for the main switchboard in the phone book and then call him. This way, I'd be sure it was actually him, and that he was calling from where he claimed. You'd probably be surprised (or maybe not) how many times, there was no such Constable. Luckily, I just didn't give out my information to just *anyone*. And the same stuff applies here ... with reading and verifying the key over the telephone. With the phone call there should be a hangup and then some third-party authority to confirm that the channel of communication is *really* a valid channel. Sorry, about leaving that part out. It was a boo boo, eh? But it's important, RL stuff.

Which I then use to encrypt the one-time-pad, using the PGP key only once.

Then, I'm comfortable sending it (not the message, but the pad) over the Internet encrypted with PGP. And I think at that point, I have Pretty Good Privacy.

...

Adam

-- "It is seldom that liberty of any kind is lost all at once."

Alice de 'nonymous ...

...just another one of those...

P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E.

Yep, it was the real me this time ... and no, I didn't add another "signature" encrypted or not encrypted to the bottom of this post. Let me ask this though?? Would the "quality" of my post changed one way or another, if this was signed, or not?? IMHO, the message should make sense (or not) either way. ... Alice ...