USENET newsreaders and cryptography: features/suggestions/questions
Hello out there! The current version of strn (see below) contains a signature verification command (control-V). It looks for either a RIPEM or PGP signature line and passes the article to the appropriate command for verification. (Strn leaves it up to the user to interpret the output of the command.) I have a few questions/requests that I hope the cypherpunks list can help me with: 1. Does anyone know if including code like system("pgp -m foobar") might cause legal problems? Strn doesn't implement any cryptographic techniques. 2. What's the status on a USA-legal PGP (using RSAREF)? I would like to greatly expand strn's cryptographic features, but I'd rather not implement features that many of strn's users can't use. (That includes me--I won't use PGP until/unless the legal issues are cleared up.) 3. It would be greatly convenient if someone would implement a "verify signature only" switch for PGP. Most of the applications I would like to use don't involve data hiding--just signature verification. I'm also lobbying the RIPEM author to include a similar feature. Also, if anyone has any comments or suggestions about newsreader cryptographic features feel free to send mail. I hope to do some work later with things like remote reconfiguration, trusted ratings, suggested reading lists, and the like. --Cliff P.S. Strn is about 10K lines of C code added to trn. It is (probably) just a few weeks away from a public beta test. If anyone really wants to test strn, let me know and I'll consider it. More information is also available via finger or mail. -- Clifford A. Adams caadams@polaris.unm.edu | USENET Interface Project: 457 Ash St. NE Albuquerque, NM 87106 | Tools for advanced newsreading STRN (Scan TRN) now in testing: trn 3.0 plus flexible newsgroup menus, fast article scoring with score ordered display, and merged/virtual newsgroups.
In message <9307080348.AA10446@polaris.unm.edu>, Clifford A Adams writes:
1. Does anyone know if including code like system("pgp -m foobar") might cause legal problems? Strn doesn't implement any cryptographic techniques. I wouldn't know, but to stay completely safe, it *might* be a good idea to use environment variables.
3. It would be greatly convenient if someone would implement a "verify signature only" switch for PGP. Most of the applications I would like to use don't involve data hiding--just signature verification. I'm also lobbying the RIPEM author to include a similar feature. One feature I'd like would be easy to parse PGP output. That way PGP can be more easily integrated with other programs. For example, doing
CRYPTOPROGRAM=pgp
system(strcat(getenv("CRYPTOPROGRAM"), " -m foobar"))
(I'm not well-versed in strcat, so this could be wrong, but you
know what I mean.)
Then you're not mentioning PGP at all in the code. (Env. variables
for the options would be a good idea as well.. that way you can't be
attacked under the premise, "It's OBVIOUSLY for PGP, because the options
are PGP-options.")
the following:
(-p for "easyparse"?)
pgp -p
In message <9307080348.AA10446@polaris.unm.edu>, Clifford A Adams writes:
1. Does anyone know if including code like system("pgp -m foobar") might cause legal problems? Strn doesn't implement any cryptographic techniques. I wouldn't know, but to stay completely safe, it *might* be a good idea to use environment variables.
3. It would be greatly convenient if someone would implement a "verify signature only" switch for PGP. Most of the applications I would like to use don't involve data hiding--just signature verification. I'm also lobbying the RIPEM author to include a similar feature. One feature I'd like would be easy to parse PGP output. That way PGP can be more easily integrated with other programs. For example, doing
CRYPTOPROGRAM=pgp
system(strcat(getenv("CRYPTOPROGRAM"), " -m foobar"))
(I'm not well-versed in strcat, so this could be wrong, but you
know what I mean.)
Then you're not mentioning PGP at all in the code. (Env. variables
for the options would be a good idea as well.. that way you can't be
attacked under the premise, "It's OBVIOUSLY for PGP, because the options
are PGP-options.")
the following:
(-p for "easyparse"?)
pgp -p
On Thu, 8 Jul 1993, Sameer wrote:
CRYPTOPROGRAM=pgp
system(strcat(getenv("CRYPTOPROGRAM"), " -m foobar"))
(I'm not well-versed in strcat, so this could be wrong, but you know what I mean.)
I know you put a disclaimer, but I'll warn you that the above code is very dangerous... strcat() concatenates to its first argument, and the value returned by getenv is not a suitable argument in this case... the fix: char enccmd[100]; strcpy(enccmd, getenv("CRYPTOPROGRAM")); strcat(enccmd, " -m foobar"); system(enccmd); However, I still find this unsatisfying, as the'-m' is probably a PGP sepcific option, and it seems to me that a more general solution would be either some form of template in the environment variable: CRYPTOPROGRAM="pgp encode=-e decode= sign=-s stdin=-f text=-t ascii=-a conventional=-c userid=-u %u forcepager=-m pagemode=-m wipeorig=-w recoverorigfilename=-p detatchsig=-b leavesigintact=-d adresseelist=%a ...and so on..." or a set of environment variables, such as: CRYPTOENCODE= CRYPTODECODE= CRYPTOSIGN= CRYPTOVERIFYSIGNATURE= ...and so on... Either way is a lot more work, but probably a lot more general as well... This is a piece of code that only needs to be written once... would take more work to do the documentation that the code... Any takers, or should I put this on my TODO list as well? -- Nick MacDonald | NMD on IRC i6t4@jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4@unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23}
participants (3)
-
Clifford A Adams -
Nickey MacDonald -
zane@genesis.mcs.com