EFF gun-shy of legally employing PGP (fwd)
Grady, this kind of smear is unnecessary. I didn't respond to further queries because I didn't see any further queries. I expect you to apologize for this forthwith. Some people apparently have too much time on their hands, and they fill it with speculations about others' motives. In the meantime, I'll give you three reasons we didn't use PGP. 1) It wouldn't have solved the problem, since the majority of people who spreead the false press release are not encryption users. 2) PGP is inconvenient to use. 3) EFF is a Mac shop, but our licensed copy of Viacrypt doesn't run on the Mac. Feel free to forward this message. And, please, try not hinder our effectiveness with further unsupported smears and accusations. Thanks in advance. --Mike From: grady@netcom.com (Grady Ward) Subject: Re: "Porn Press Release" from EFF is a Hoax Message-ID: <gradyCMtHxp.M6L@netcom.com> Followup-To: alt.2600,comp.org.eff.talk Organization: Moby lexical databases X-Newsreader: TIN [version 1.2 PL1] References: <CMI2AL.uAD@sernews.raleigh.ibm.com> <2m2mou$mp1@eff.org> <1994Mar15.170955.21185@nntpd2.cxo.dec.com> <2m5p3f$gt4@agate.berkeley.edu> Distribution: inet Date: Thu, 17 Mar 1994 16:32:13 GMT Lines: 78 Steve Pope (spp@zabriskie.eecs.berkeley.edu) wrote: : page@solvit.enet.dec.com (My name is...) writes: : > Yes, but the point of the reply, is that PGP signatures SHOULD : > be used by sysops. : Hmmm... why PGP, as opposed to the FIPS Digital Signature Standard? : Is the latter not in place yet? Yes, you can use the DSS (unless it is given away to PK partners, that is). The importance of using PGP or another strong privately developed crypto is that it supports the industry rather than relies upon the government. But since Mr Godwin has answered the question to his satisfaction and is not responding to further questions, I guess we will never know the real reason why the EFF will not use PGP to digitally sign press releases. Apparently Mr Godwin chooses not to be responsive to the EFF membership with respect to this issue. He only has said that sysops don't use PGP so rumors would not be quashed anyway. From a person of his intelligence this is about the lamest reason I've heard. Let me see if I can speculate on the real reaons the EFF may not choose to use PGP to sign press releases: (0) Using PGP would be provocative to the very powers we seek to infiltrate [ViaCrypt PGP is perfectly legal and fully licensed.] (1) There is not a problem with authenticity. [This must be false, otherwise Mr Godwin wouldn't have begun this thread] (2) Signing with PGP is not effective. [false; MD5 and RSA have no known weaknesses] (3) Signing with PGP is too hard or would take too much time [false, perfect for irregular press releases] (4) PGP signatures take too much bandwidth. [false, again perfect for the mmoderate to longer press releases] (5) Sysops don't use PGP, rumors would spread anyway [Sysops might begin with suitable leadership; the signature of course could be ignored and the rumor spread anyway -- but if there *were* a question of authenticity an individual could check the authenticity without needing to log on to EFF's server or needing to personally contact an EFF official] (6) Signatures make the press release harder to read [false, a single line at the beginning and a block of lines at the end are added, none of the body is changed in any way] (7) We are journalists and attorneys, not nose-picking nerds [??????] (8) We are journalists and attorneys, this might expose up to greater liability and less 'deniability'. [???????] (9) We just defend these 'PGP' and 'BBS' people. We don't actually want to ASSOCIATE with them more than we have to. Cooties. [???????] (10) The EFF does not have to explain its actions or inactions to anyone. [???????] While Sternlight is merely annoying, and sometimes entertaining, EFFs lack of dialogue on this leadership opportunity supporting private crypto signatures is very, very disappointing. -- Grady Ward | +1 707 826 7715 | finger grady@netcom.com for free 3449 Martha Ct. | (voice/24hr FAX) | Moby lexicon brochure & samples Arcata, CA 95521-4884 | 15E2ADD3D1C6F3FC | KN6JR monitoring 14.178 & 14.237 USA | 58ACF73D4F011E2F | 1800 UTC - 2000 UTC daily
On not using PGP:
1) It wouldn't have solved the problem, since the majority of people who spreead the false press release are not encryption users.
Yes, it would solve the problem. Not every individual could have verified the message, but enough people would have, and immediately enough, that no question would have remained for long about the forgery. The epistempology of authorship is of social nature already. With cryptography, one can lift authorship of public keys to authorship of documents, but this is an optimization, not a necessity. By allowing those people who do use cryptography to verify authorship, one can speed the process for the rest. Not everyone currently uses crypto, true, but better a partial benefit than none at all. And the partial benefit of a signed message is most of the benefit.
2) PGP is inconvenient to use.
3) EFF is a Mac shop, but our licensed copy of Viacrypt doesn't run on the Mac.
MacRIPEM is both easy to use and runs on a Mac. There may be other reasons not to use PEM and PEM-derived systems over PGP, but I do not think they outweigh, at this time, the public and forthright use of cryptography by the policy leaders, and I mean not only EFF here. It is not my place to make internal EFF policy, but I will suggest it, namely, that all public communications that go out to Usenet and to public mailing lists be digitally signed by their authors. Eric
Eric Hughes writes:
On not using PGP:
1) It wouldn't have solved the problem, since the majority of people who spreead the false press release are not encryption users.
Yes, it would solve the problem. Not every individual could have verified the message, but enough people would have, and immediately enough, that no question would have remained for long about the forgery.
I respectfully disagree.. This may change in the future, of course. What surely would have happened is that few people would have bothered to check the signature, and those who did might try to counter the rumors, but I'd still get calls from people who want to know *directly from me* that it's a hoax (in other words, they wouldn't credit the claims of those who checked the signature). Net result--no difference in time and effort on my part. Now, don't get me wrong--use of crypto is a good thing, and should be encouraged, and we may eventually standardize on its use within EFF. But the claim that this would have prevented the hoax is insupportable. Maybe in the future crypto society, but not now. It is important to uncouple the argument that EFF should use crypto from the argument that if we had used it, the problem we saw here would not occur.
MacRIPEM is both easy to use and runs on a Mac.
The specific argument that Grady Ward used to savage me and EFF is based on the claim that we should have used PGP *specifically*.
It is not my place to make internal EFF policy, but I will suggest it, namely, that all public communications that go out to Usenet and to public mailing lists be digitally signed by their authors.
As a matter of pure aesthetics, I prefer other things in my .signature. There is even less poetry on the Net than there is cryptography. Mike Godwin, (202) 347-5400 |"And walk among long dappled grass, mnemonic@eff.org | And pluck till time and times are done Electronic Frontier | The silver apples of the moon, Foundation | The golden apples of the sun."
While Mike may indeed be correct about the incremental effectiveness of using PGP *at this time*, I think Eric's point is the more important -- that as a leading organization promoting electronic privacy and access, EFF ought to set an example, one positive offshoot of which might be an *improvement* in EFF's communication effectiveness since the spoofing issue can be dealt with so much more easily. This is really a wake-up call to all of us, I think. I've had PGP sitting around on the shelf for a while now, and I'm not using it . . . yet. But that's going to change. If *we* don't take advantage of these tools now, in effect defining their use and showing their benefits, then who will? Those who lobby and advocate on behalf of these tools and approaches ought to have direct experience with them. It will make our efforts more authentically based on experience and thus more effective. Fred Heutte Sunlight Data Systems phred@well.sf.ca.us phred@teleport.com "Why make it simple & easy When you can make it complex & wonderful!"
-----BEGIN PGP SIGNED MESSAGE-----
If *we* don't take advantage of these tools now, in effect defining their use and showing their benefits, then who will?
Hear, Here! John E. Kreznar | Relations among people to be by jkreznar@ininx.com | mutual consent, or not at all. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLY6nTMDhz44ugybJAQF9oQP/YG92TNu/h96ZM7b6HQRHrfbSSrJCmZyw Gg8hIXKAzcPWpLF9iPe0Z8/aV3sjv5YySVVwVgzorNcrSBGI5tCkXe9I0Hh5ys/7 yVbfXxOLhAFERahkeuwFOrVN9724Q/iUNAsAka4FyiGSlPuP/gAyJtadS9H3O/9I O8dgbhlO3ug= =Nt/l -----END PGP SIGNATURE-----
participants (4)
-
Fred Heutte -
hughes@ah.com -
jkreznar@ininx.com -
Mike Godwin