RE: It's finally over (was Re: Explanation of Harald Fragner and cypherpunks)
Most lists and services have dealt with the problem of someone accidentally subscribing or maliciously subscribing someone else in one of two ways: A) send and acknowledgement message with a randomly generated authorization code that requires the user to respond. B) send out a password and require the user to login before account is activated. This works only if you assume the malicious individual will not receive mail sent to that address. This therefore falls down when the address is a mailing list or other distribution point that the malicious individual has access to directly or via archives. What we really need is an automated system that could authorize/deny an address prior to the code/password being sent that would keep track of distribution list addresses and such. Perhaps I'll create one myself soon. Matt
-----BEGIN PGP SIGNED MESSAGE----- In <33CCFE438B9DD01192E800A024C84A19284687@mossbay.chaffeyhomes.com>, on 09/16/98 at 12:37 PM, Matthew James Gering <mgering@ecosystems.net> said:
Perhaps I'll create one myself soon.
PGP, Digital signatures, CA's, Authentication, ... This *is* a crypto related group isn't it? How does Thwart, Verisign, or the other CA's handle authentication of an e-mail address in there low level certs? - -- - --------------------------------------------------------------- William H. Geiger III http://www.openpgp.net Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html - --------------------------------------------------------------- Tag-O-Matic: Windows? Homey don't play that! -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNgAY+49Co1n+aLhhAQGPqgP7BKyRdt9xZhk6jWVoOgHU8RuonrTpj7jh TLOhzOy/F8UyycDnaIUtVlESmbCvCpkTIMyvEo9opcrUOD7Mm3I0JWAQ+nNPSN9T 8lQ45PEyjyYf9jhCySCpvzfan8vGQBFY0eGNFobcp4an7SKxJG1Yib5QRppkfghN nhd4Wz1GRQA= =l6Cf -----END PGP SIGNATURE----- Tag-O-Matic: I use OS/2 2.0 and I don't care who knows!
William H. Geiger III wrote:
You generate a key pair on your machine (Netscape keygen tag or MS CrappyApi. The public key + other self-referential materiel is sent to Thawte/Verisign et al (actually I like Thwart better). This is via broken PKCS#10 for MS, or proprietary SPKAC for Netscape (ever wondered why there are multiple buttons for your browser type?). They then send you a reference number via email. You cut and paste the number back onto their site. A PKCS#7 mimetype is downloaded, causing your browser to grab and stash your new cert. Netscape stores the key in its own special way, and the cert in a PKCS#12 format. MS stores both in PKCS#12 format, which is rather easy to hack. If I was to request a cert from Thawte (the only really useful global, free, full strength one), and specify cyphers@punks.net (a well known interneting list) as my email address, then the email would be available to all subscribers of the list. Certs being public, this is not a problem. The crucial part being that the private key I originally generated, matching the public key in the cert, remains on my machine. I.e. I am the only one who can decrypt stuff encrypted with the cert's public key. This is an interesting way of receiving encrypted mail (pseudo-)anonymously. Expect to see a rash of Thawte "collect your new cert" emails, followed by much encrypted mail that only one list subscriber has the wherewithal to decrypt. Another alternative is to distribute the private key to selected buddies on the list, to provide a shared cert. Netscape specific: Migrating use of a cert requires an email to yourself that you will receive on your new machine, after copying the key*.db files and/or *.p12 files to the netscape/.../users dir, and importing it. As to how sexdegrees.com could use this technology ... this would require some degree of know-how which would probably preclude signing up in the first place.
participants (3)
-
Matthew James Gering -
Soren -
William H. Geiger III