Lack of PGP signatures
-----BEGIN PGP SIGNED MESSAGE----- To: cypherpunks@toad.com Date: Tue Jul 02 19:40:44 1996 I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr. Atkins) do not seem to PGP clearsign their messages to this list. In fact, a surprisingly small percentage of messages on the C-punk list are signed. This despite the fact that the average subscriber is at least literate in PGP. Does anybody have any speculation on why this is? Is it because people consider mundane mail unimportant enough to sign? Is it because the members of this list are more concerned with encryption than authentication? Is it because most mail programs are not PGP aware? Is it because of the weaknesses in MD5? David F. Ogren | ogren@concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMdmzfeSLhCBkWOspAQEdaAf7BzkKqxVyzBY4TAKoSXqO2DhFpceMGfv1 WJhMXHCi9FnZuCHs2hl03vhf/DReX1Y6YWU9ntLhpO8kY6eDeRdq/M9eyD/le1df lZXewrfWrv/JSQgDEmUgao01EkVCVILAx/mUzeBTYPx0nx4CVKUw5pCOJvcO4oVs Y9K1w7ivSpVtwvonYSrqWjT3qDDXm2aCID+YlffH2c+nDBXPgv094fj5Fzzoi+4i sS8u/otxz8d2A+NlhqKJZWxkPtBi0AA2VO6L2Mx8ZmlwRWaD4EiTjaozusPq5GoE tEh9YIPt4+CJZTiLwRRh1x+OqWIDQOJMcDlLmNhiYxFYuevWhmbLPA== =/E0F -----END PGP SIGNATURE-----
I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr. Atkins) do not seem to PGP clearsign their messages to this list. In fact, a surprisingly small percentage of messages on the C-punk list are signed. This despite the fact that the average subscriber is at least literate in PGP.
Actually, I don't PGP sign my messages because 95% of the time my connection to my mail host (the machine on which I read and respond to mail) is insecure. Composing the message, bringing the message to my local machine, running PGP, re-uploading the message, and sending it is a big deal and I don't consider it important enough for my everyday posts. When I send out notices that I consider important I do sign them. But that is fairly rare (at the moment). Basically, I refuse to type my passphrase over the net, which signing all my messages (this one included) would require. -derek
-----BEGIN PGP SIGNED MESSAGE----- On Tue, 2 Jul 1996, Derek Atkins wrote:
Actually, I don't PGP sign my messages because 95% of the time my connection to my mail host (the machine on which I read and respond to mail) is insecure. Composing the message, bringing the message to my
"Me too," though I recently created a 512-bit key just for the purpose of such insecure signing. As long as people understand that that key simply means "this is either me, or someone who has gone to the trouble of cracking root here, or someone who spent a couple weeks brute-forcing this key," it's useful to prevent casual attacks. Several others are doing the same thing... I know all the NoCeM posters and most of the newsgroup moderators using PGPMoose have created suuch secondary keys. - -rich finger or send mail with subject line "send pgp key" if you want 'em -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMdoJ+JNcNyVVy0jxAQH7fwIAvK/GWCSXtoDyZWIC+rffKjv/VNbQL/J8 nvabWe7DC6NMp6iGmmZCaIkuvD+TON6rEpu3xatyim0R8ILQoSPyfg== =/wh3 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- On Tue, 2 Jul 1996, David F. Ogren wrote:
I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr. Atkins) do not seem to PGP clearsign their messages to this list. In fact, a surprisingly small percentage of messages on the C-punk list are signed. This despite the fact that the average subscriber is at least literate in PGP.
Does anybody have any speculation on why this is?
Is it because people consider mundane mail unimportant enough to sign?
This is one reason. I think that there are several other reasons: -- Someone may be using a machine at work or on a multiuser UNIX system which is untrusted and insecure. In the case of a UNIX account, one could compose a message off-line and rz it using a term program, but that is a major hassle. -- Many email programs do not have support for PGP so signing a message often requires a lot of cutting and pasting. -- PGP may not work on the computer a person is using for Internet access or the system might be too slow to use PGP.
Is it because the members of this list are more concerned with encryption than authentication?
I think they are both equally important. The point of public-key cryptography is the ability to communicate with a person without having a secure channel to exchange keys. Once keys can be transmitted using the same medium used for the encrypted traffic, it makes a MITM or denial-of-service attack much easier. There has to be some out-of-band method to authenticate keys. Without authentication, a lot of the security that could be gained by using PK crypto is lost.
Is it because most mail programs are not PGP aware?
I don't know of any mail programs that can use PGP (I know there are various interfaces, sendmail wrappers, and other hacks, but I have yet to see a mailer with an "Encrypt" or "Sign" option.
Is it because of the weaknesses in MD5?
Doubtful. PGP authentication is better than no authentication. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdnnBLZc+sv5siulAQEIpAP/WesfBknwJeUnNIZzYtLkJkqR7hMu2jYz 9migOABikpYDwe0H8Dfn34ff3bab5xncoJ7M8l0HmvrISMjeFp9DpKXT0yJ0rk7a HymHCGyGpJXjQ+snbLoyEQbB4DzcE+BjihSM2upmIMhQbH3paEagc41VwL+udfVA EsWUux6Yato= =8SiH -----END PGP SIGNATURE-----
"David F. Ogren" writes:
Atkins) do not seem to PGP clearsign their messages to this list. In fact, a surprisingly small percentage of messages on the C-punk list are signed. This despite the fact that the average subscriber is at least literate in PGP.
Does anybody have any speculation on why this is?
I'd say this is it:
Is it because most mail programs are not PGP aware?
-----BEGIN PGP SIGNED MESSAGE-----
Mark M writes:
MM> On Tue, 2 Jul 1996, David F. Ogren wrote: DO> In fact, a surprisingly small percentage of messages on the C-punk DO> list are signed. This despite the fact that the average DO> subscriber is at least literate in PGP. DO> DO> Does anybody have any speculation on why this is? DO> DO> Is it because people consider mundane mail unimportant enough to DO> sign? MM> This is one reason. I think that there are several other reasons:
Is it because most mail programs are not PGP aware?
MM> I don't know of any mail programs that can use PGP (I know there MM> are various interfaces, sendmail wrappers, and other hacks, but I MM> have yet to see a mailer with an "Encrypt" or "Sign" option. Well, I'd say that the emacs/Gnus/mailcrypt combo is PGP aware - - properly installed, emacs has encrypt, sign, and remail menu items. I don't use it routinely mainly because I haven't set things up to propogate my key, so signing articles would be kind of useless. - -- #include <disclaimer.h> /* Sten Drescher */ Unsolicited solicitations will be proofread for a US$100/page fee. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMdoLmC+2V9GxYWz1AQEwMwf+MKji8AGIfhmLCkANxjzvqc209yLlGEAz J1LIXuN4+2M7fVPPKmsg6jiUT0k4G0IpXJMF7bbolDYd1PjEAlJiRhlCa7D8GJbz w21cE2IN8qvJZfzZrncfsOlElOzQXBbi2DpyF1xPzxRvOodwGBT80iVOQR6K0jZO wficMfAUmItp7y5+W+L+y2rsAaQ+gkhuLAyKwe7C4n7eYW+2Pqh7CvJT/Ob7nlTD OgrR8i9m6cl6G5JsJAcb/FYcRzyr8+k8BzvryWqiALS0QGwv8lzbbP0HS9171Fu7 vAXcilhV4WNgG7WVBcElIYlgGW5yiaUxq64O91QVQPfrR283c3APTg== =rVPk -----END PGP SIGNATURE-----
participants (6)
-
David F. Ogren -
Derek Atkins -
Firebeard -
Mark M. -
Perry E. Metzger -
Rich Graves