-----BEGIN PGP SIGNED MESSAGE----- Eric Hughes scribbles:

Fine. I still win. My purpose is to communicate that I want list users to use encryption. If you feel the need to use someone else's service, then you have at least been exposed to the fact that signatures are desired at toad.com.

Some people may find a way around it. OK. I still get the initial sign-on message that new users see. Most people get the message. That's what I want.

As a personal policy I don't sign usenet news or mailing list postings, unless special circumstances arise, I sign most personal email where the text will be longer than the signature, or I know the other person is a proponent of PGP, and I encrypt messages to people I know can receive them without too much pain. I don't sign/encrypt to mailing list, as many people get disgruntled by it, and can cause problems of it's own. I suspect that most people on the list have worked with PGP at some point, simply because of the nature of the list. I don't see a problem with signing/encrypting to Cypherpunks for 90% of the people that contribute. How about just an annoyance responder that sends a piece of mail to people who post without signing/encrypting, telling them they should be encrypting, that it's the preferred method of doing things, and to do so in the future if possible? As a side note, if you want people to sign their notes, why aren't you doing so now? I apologize if this has already been asked and I missed it, and it's not intended as a flame, but it would seem that signing your own messages would be a good way of starting things toward the direction you want to go. Bob -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtyNZuS0CjsjWS0VAQFa+QQAqxXi8zCdKSQZKPBY2TdAxkj5qtGrA3Os berJslmnPdnpdc1xfpoWBnnT57d/z6EyExh1rDRxlXmENbB3uxl/X+ycq3XooiJo 0d0OeSiuHlKZLjEHN5en2b/6Lzv2uyxCRsJyfwJ8c+AIKsOiupRqBo8/jPnJ5zhf QYXDnVeZ5Gw= =Fdp+ -----END PGP SIGNATURE-----

(I've returned from a day and evening away from this list to find, not unexpectedly, a lot of acrimony. As I have to skim through so many messages, it is my preference this early in the morning to comment mostly on things I agree with, as I just did with James Donald. (Right after posting on a point of agreement, I saw his negative reaction to my points, and lack the energy right now to respond to them.)) Eric Hughes wrote:

As a side note, if you want people to sign their notes, why aren't you doing so now?

For the same reason that Tim isn't--it's too difficult.

Now I've just recently set up a new email machine and I expect that I'll be able to get signing set up on it before the end of the year. I have plenty of irons in the fire already, and this isn't the top priority.

"Plenty of irons in the fire" is indeed the crucial point. Learning how to make UQWK talk to AutoPGP in elm (or whatever) is apparently fine for some people (by my estimate, 20% of those who post), but many of the most valued (who shall remain nameless here) posters are *not* signing posts. I urge you all to watch who signs and who doesn't. Face it, some fraction of people on this list are gearheads, with their own Pentiums or Suns sitting on the Net and with lots of Unix/Linux tools they like to play with and that they can use to compile their premails and procmails and whatnot. More power to them. But many of us have "other irons in the fire" and don't plan anytime soon to abandon our existing tools (in my case, a PowerMac 7100AV, with video digitizers, etc., FrameMaker, Mathematica, SmalltalkAgents, etc.) in favor of more PGP-friendly Unix boxes. If people feel it would be better for the Cause if I eschewed writing on the issues I write aboue in favor of not writing, presenting, etc., and instead becoming a Unix gearhead, able to transparently sign all messages, then send your comments to me.

it would seem that signing your own messages would be a good way of starting things toward the direction you want to go.

It certainly would. My priorities on this are to get myself set up for signing. Then I need to get a recognizer written, then to hack vacation to use alternate database files, then to get my own personal resource list compiled, then to set my personal nagware. Only after all that do I intend to alter the list.

And I intend to do none of this, choosing to focus on other things, which is why I object to policies designed to modify behavior in the way being discussed in this recent thread. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay

Roy M. Silvernail wrote:

...

"Plenty of irons in the fire" is indeed the crucial point. Learning how to make UQWK talk to AutoPGP in elm (or whatever) is apparently fine for some people (by my estimate, 20% of those who post), but many of the most valued (who shall remain nameless here) posters are *not* signing posts. I urge you all to watch who signs and who doesn't.

It may just be that it's early and I'm only on my first cup of coffee, but are you suggesting an inverse correlation between the quality of a submission and the presence of a signature, Tim? While I'd agree that many of the quality list members don't sign their articles, I don't think I can make the leap that signed messages have no useful content. Please tell me I misread you.

No, I didn't propose such a correlation. Just a reminder that _many_ active posters are not routinely, or ever, signing. This is probably not due to a minor (few second) delay but, rather, to much large hassles (discussed here often, but having to do with editors on remote machines not having access to PGP tools and keys on local machines--this can be solved by moving the PGP onto the remote machine or by sending the file to local machines with sz, etc.).

...

Face it, some fraction of people on this list are gearheads, with their own Pentiums or Suns sitting on the Net and with lots of Unix/Linux tools they like to play with and that they can use to compile their premails and procmails and whatnot. More power to them.

Or perhaps just a lowly 486 running DOS and UUCP. But I heard that Cypherpunks Write Code, so I wrote PGP support into my signature controller. I have signed all my email for 2 years, and all net traffic for nearly a year. Gearhead? Perhaps I am. But this ain't no Porsche.

Like I said, "more power to them." I haven't gone this route, and face, under the proposed system(s), delays and perhaps bounces. For many reasons I think this is an unwise proposal.

Which only underscores the need for better tools for the existing platforms. Yes, I'd like everyone to sign their traffic. But it's not always possible when the tools to do that are either non-existant or arcane (which means I'm in agreement with Tim on why he doesn't sign his traffic).

You've just answered your earlier points. Let me recount something that hasn't been mentioned on the list. At the last Cypherpunks meeting, well-known Unix gearhead Raph Levien demonstated his premail work: nearly transparent encryption, decryption, remailing integrated into "pine," a mailer. Something this "simple" (no insult to the work meant...I mean simple in the sense that it is conceptually obvious and expected) drew oohs and aahs from the generally savvy attendees. It tells us something. (Yes, I may consider switching from my favored mail reader, elm, to pine. But not soon, and maybe not ever.)

Tim, just for fun, what tools would need to appear to make it possible for you to sign your traffic? Maybe a description will inspire some of the Macheads out there to get hacking. (the astute reader will note that I'm not suggesting new tools to the erstwhile Mr. May, as has been done so often in the past)

Others have touched on this. MIME stuff, mail wrappers, etc. There are three main worlds to consider: 1. Users on their own secure machines, composing, signing, and encrypting with tools on their own machine. Completed messages are either mailed (e.g., Eudora, dial-up) or are otherwise send directly (boxes sitting on the Net via SLIP, PPP, TIA, etc.) 2. Users who do some of their work on secure machines (perhaps at home) but log in to remote machines that are not secure against packet sniffers, snooping sysadmins, subpoenas (which may not even be disclosed to the target, as in cases involving money transfers, drug cases, etc.). 3. Users who do most of their work on unsecure machines outside their control. Most corporate users who use corporate machines. Most university students with campus accounts. PGP can and is used in all of these worlds. #1 is taken care of by lots of tools. (And if I limited my mail to Eudora, I could cope moderately well. But I don't even have Eudora running on my new Mac configuration yet, and I favor reading mail while logged-on to Netcom. Also, signing Netnews articles--not the topic of current debate--is not addressed. #2 is where additional tools are needed. A useful tool: agent-like technology that could "reach back" with a zmodem-like squirting of text to the local/home machine, do the sigs and encryption, and then squirt back the processed text. (Ironically, short messages are moderately easy for me to verify, as I can select the displayed text and use cut-and-paste. So long as all the text is visible. Longer text messages require that I somehow get the text--often by using sz to send it to my local machine--and this typically takes more steps and requires more choices than I want to deal with.). #3 users are probably happy in their ignorance and have others to help them with setups and configs. That so many students are diligent about signing their messages--on "foobar.edu"--says a lot about the spread of tools, helps, and common set of tools (e.g., everybody may be using 4.3 BSD and the same core set of editors and mailers). I am dismissive of #3 because it's toy security. Not a foundation to build on. But OK for students. Or employees. Or casual use. Enough for now. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay