-----BEGIN PGP SIGNED MESSAGE----- [The following is being posted to alt.security.pgp, sci.crypt, and cypherpunks and e-mailed to my friend Sebastian. -Bryce] Ed Pugh writes that he doesn't sign all his e-mail because he doesn't have a decent off-line news/mail setup. I strongly suggest to Ed, and all others who have this complaint (of whom there seem to be many), that they go ahead and generate a "reduced security" key pair for use on-line. That is, the private key will be accessed while you are on-line so that it is easy for you to use it for routine signing and encryption/decryption. There are at least 3 good reasons to do this: 1. Even though a hacker or sysadmin on your system can then read your mail or fake mail from you, at least a hacker or sysadmin on *my* system can't read my mail to you or fake mail from you to me. 2. "Think of it as a form of solidarity." If everyone used these "reduced security" keys, and the hypothetical Big Brother police organizations want to routinely scan e-mail for keywords or something, they would have to secretly get access to every ISP and freenet in the country! By transmitting your e-mail in the clear you are making their job a lot easier. 3. The more people have "-----BEGIN PGP SIGNED MESSAGE-----" in their UseNet posts and e-mail, the more people will say "Hey what is this PGP stuff?" or "Hey, everyone seems to be using PGP, maybe I should get in on it." By using a "reduced-security" private key you are gaining some of the advantages of public-key cryptography for yourself as well as contributing to its widespread acceptance in net.society. (You might think that most people on the Internet know about PGP, but this is not true. Only a fraction have even heard of it, and only a *small* fraction have any understanding of it. A small fraction of *that* population uses it regularly, which is what I am trying to change.) Ed wrote that he downloads text to his home computer and signs it with his high-security private key there when he feels that it is important enough. He should continue to do this! I have one key which I keep on my home computer (and which my more paranoid friends like to use) and one which I keep on colorado.edu computers. (Both keys have signed each other, by the way.) I know that Zimmermann specifically warns against what I am suggesting in pgpdoc1.txt, and I think that it is a mistake for him to do so. In short, there is no reason why every PGP-aware individual should not at least clearsign if not encrypt every message which he or she transmits. There are several advantages to doing this and no disadvantages. The greatest threat to security is that people don't use it! Help change that by encrypting/signing *all* of your output. Bryce In alt.security.pgp, Ed Pugh <ai928@FreeNet.Carleton.CA> wrote:

Not to mention the fact that it is a major PITA for those of us who do not have a decent off-line news/mail program. My main connection to the net from home is the National Capital FreeNet here in Ottawa. It is the main reason why I do not sign my posts. I do (and have done) if I feel that a posting is somehow "important" enough to warrant a signature, but those tend to be *very* rare.

From home, I use a dial-up access with a PC terminal emulator program (I use TELIX).

The three or four postings in this thread which were encrypted had to be down-loaded (using screen capture), then decrypted in DOS. It would be nice to have a decent off-line reader/editor but .... <sigh>.

Please let's keep postings in the clear. If I feel a need to verify a signature, I will (using the method above).

-----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta Unix script iQCVAwUBMCCx3PWZSllhfG25AQHDJQQAriQoxQoUKzT9OuF/Vo29phj/2FmwhsAR XobTIeYp0ViD0/SHF7FiZPCjuAYx8vCtzUfiC1ZIkiKa3t13aGT3phPY1JN2ZHdV u7vBJE8syGT8iJ3iw+d0TtnL0bA92/FZ3o1wfy8nCT/8ujbsgC31LWKaC+Bip4Ui ckTYXXx1PYs= =nvP/ -----END PGP SIGNATURE-----