-----BEGIN PGP SIGNED MESSAGE-----

From: eric@remailer.net (Eric Hughes)

Let me review the exact proposal. First, a recognizer is set up at toad.com to distinguish between digitally signed and unsigned messages. Second, some action on the message would be taken, which would gradually increase in effect over time. The first action would be to add a header to the end of the mail identifying it as unsigned. A later action would be to delay the mail at the server for some amount of time. A final action would be to delete or bounce messages that weren't signed.

Perhaps something a little more useful would be a little more palatable. I have a feeling that something like the above would sound gratuitous to many on the list. A better way would possibly be to have some value-added service offered by the list server which involves encryption or digital signatures. Here are a few ideas: 1. What if all messages on the list were themselves signed by "Cypherpunks List <cypherpunks@toad.com>"? (yeah, I'm reaching here; let my brain warm up...) 2. Encrypted submission to the list. This could be useful if used in tandem with remailers, perhaps... 3. Offer anonymization locally. Messages posted this way could appear as "cypherpunks-reader@somewhere" or something like that. When combined with remailers and encryption (like #2 above), this could mix things up with respect to anonymous mail. As another (possible) option, the remailers could be set to recognize cypherpunks@toad.com and send in such a way as to use this local anonymizing. 4. Auto-verify signed messages. Put a header at the top of signed messages such as: [Signature verified. ID: Joe Blow <jblow@uunet.net>] [Bad signature! ID: Joe Blow <jblow@uunet.net>] for tested signatures. This would either require a key registry (where you register your public key with the list server) or an interface to the key servers. This would of course imply quite a few changes to the list server code, as well as possibly non-trivial resources to do the processing, but hey, social imperatives don't have to answer to reality, now, do they? (At least they never seem to when the government is concerned. :-) Two variants: Strip the signatures after verifying them, and/or marking unsigned posts in a similar way. 5. Allow the option to encrypt list messages before sending. If we used #4 above, this could encrypt with the public keys; otherwise, it could use conventional encryption. This could be a great boon to readers whose sysadmins might take a dim view of them reading such an antisocial list. :-) Corollary: allow the option of sending the list, encrypted, through the remailers as well without requiring a pseudonymous remailer. I'm sure I could think of more lamebrained ideas given enough time and motivation. :-)

I do, however, agree with the other two premises of Tim's hypothetical. I do think that crypto isn't being used by enough people. I realize that the exact meaning of 'enough' is subjective, so let me rephrase. I do think that crypto is being used by fewer people than I want. I also believe that setting an example is a good thing, because it signals an achievable task to those who are considering doing it.

I would agree, though I would suggest that holding out carrots (neat features you can take advantage of if you encrypt) would work better than punishments (your posts won't get through as fast if you don't sign your posts). Does that make me a Puller?

When I first proposed server actions last year, it was with the full realization that I wouldn't be signing my own posts and would thereby be subject to the delay (the first-proposed action). This post isn't signed either.

This post is. :-) I'm a believer that it serves as effective spoof insurance. But, then again, I've got a direct Ethernet link to the net on my Windows box at work and Linux at home, so it's easy for me. Also, I wasn't even a lurker at that time, so my suggestions may be old hat. If so, please bonk lightly! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtuijTER5KvPRd0NAQFfXAQAgDrbMlEJBXU2V9NIquHNQGonE/dwwH0I aEnykWh+8Bu3hCdqYgbv6zhe7gc+0itb/QuwHMpUn8MNHE6VhykFPl+i7c3HOibf 0yAqPVy10UNMuJY6LxqSxfrTKwV/sFcnRWDaJcboL3MvTFrwRqC3ItdaOeokKvx2 1Cgv1ioQqfc= =gzbV -----END PGP SIGNATURE-----