-----BEGIN PGP SIGNED MESSAGE----- Seems like one way to encourage the use of digital signatures is to start forging messages from people who don't ordinarily sign their messages. Necessity is the mother of invention, and all of that. I finally started signing my messages on a regular basis as a result of Detweiler forging a message which purported to be from me. On the other hand, I think Tim has been the most frequent target of Detweiler's forgeries, and I don't detect much of a creep towards signing messages on his part. Eric, would you mind clarifying the purpose of the "sign-or-delay" rule? Last time this came up I assumed that it was to encourage folks who had 95% of the tools/initiative to start using crypto techniques on a day-to-day basis to get off their asses and do so; but other people seem to have different ideas about the purpose(s) of such a practice. I think it might be interesting to try the "sign-or-delay" rule on a part-time basis - perhaps weekends only, or never on weekends, or only during December, or whatever. To me, it seems useful as sort of a "Great American Smoke-Out Day" for crypto; to get folks to go just one day where they use crypto in a practical, applied way, to prove that they can do it. What they do after that is their own business. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtvFC33YhjZY3fMNAQGc+QP/R2kBRlCNVLDVJNOLOGOWv6URYmnj+qTt poo1LKtz31Mzj+rBAiXPZSYY5xPtTXKD/7X8dU3JYyJbH12kwvH/RS1GS4mEV++V QDJD6L84EekrdFy0piP7jsGDMq2SQsHnI6G3GG0koGoMN/3u/UbDiCG3+yJ1b5u1 iMCS8dZQTfA= =eCnh -----END PGP SIGNATURE-----
(I haven't been getting list mail all day...just a few message getting through Netcom's mail bouncer, so....) Greg Broiles wrote:
Seems like one way to encourage the use of digital signatures is to start forging messages from people who don't ordinarily sign their messages. Necessity is the mother of invention, and all of that.
I finally started signing my messages on a regular basis as a result of Detweiler forging a message which purported to be from me. On the other hand, I think Tim has been the most frequent target of Detweiler's forgeries, and I don't detect much of a creep towards signing messages on his part.
Several points, and I'll try not to repeat points I made in my long essay of early this morning: 1. Only one person has reported to me that they were unable to verify my PGP sig (Lance Cottrell reported this...if others did, maybe their messages haven't gotten through to me)). From this I conclude that few people check PGP sigs. (The "PGP 2.7" and the ASCII message in the sig might've provided some clues.) 2. This does not make such sigs useless of course, as the main value is in "critical" situations. (Legal cases, forgeries, diplomacy, contracts, etc.) 3. Again, crypto is about economics. In the military, crypto is a big part of operations (maybe 5% of staff on ships is connected with crypto, communications, etc.). But the military has real needs, and can afford (via our tax dollars) to have such efforts. Most of us are not dealing with such critical uses. 4. Speaking for myself, I have not generated or transmitted a file I felt *needed* to be signed, encrypted, etc. This is not to say such situations don't exist for others, won't someday exist for me, etc. Just things as they now stand. (When contracts are handled electronically, when payments are made electronically, etc., then such uses will be more apparent. But I am fairly open about my politics--indeed, I fly the flag of crypto anarchy in visible places--and have few files I transmit that I need to encrypt. Your mileage may vary.) 5. The Detweiler thing was amusing. No such thing as bad publicity (unless it's the Pinto-um RISK chip). Detweiler's forgeries had no legal effect on me, no lasting effect. Also, those who were "taken in" by his forgeries would hardly be in a position to verify my sig (to know who I was, to look up my PK on a keyserver, to jump through the hoops needed, and to ensure that the "Tim May" they checked was not in fact a phony keyserver entry...the several "BlackNet" public keys, only one of which I generated, are instructive). I don't discourage anyone from using crypto, from signing messages, from routinely encrypting, etc. I just reject arguments that crypto is "essential," today, when in fact it clearly isn't. Crying wolf and all that. In 2-4 years, a lot of the current incompatibilities and lack of usability will have been worked out. About the time I expect to actually _need_ to use more crypto. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
From: "Timothy C. May" <tcmay@netcom.com> Date: Tue, 29 Nov 1994 22:23:09 -0800 (PST) 1. Only one person has reported to me that they were unable to verify my PGP sig (Lance Cottrell reported this...if others did, maybe their messages haven't gotten through to me)). From this I conclude that few people check PGP sigs. A safer conclusion would be that few people report signature failures, although I suspect that your conclusion is also correct. I noticed that your message's signature failed, but chose not to report it. As I recall, it failed because I didn't have the appropriate key, although I do have your 0x54E7483F key and the key that it appeared to be signed with wasn't available from the MIT key server. I also noticed Bill Stewart's signature failure on Message-Id: <9411300425.AA21554@anchor.ho.att.com> -- ASCII armor stripping failed. In both cases, I assumed that the sender was trying to spoof the act of signing and I further assumed that you were more careful to match the form of a signed message than Bill was. The fact that you've been doing some spoofing lately only strengthened by sense that this was another gag. Often, but not always, when I see a Bad Signature message I let the sender know about it. Rick
From: Greg Broiles <greg@ideath.goldenbear.com> Seems like one way to encourage the use of digital signatures is to start forging messages from people who don't ordinarily sign their messages. Necessity is the mother of invention, and all of that. How about a vacation-like program that automatically finds .sig blocks, stores them in a database and appends them at random to other posts? Eric, would you mind clarifying the purpose of the "sign-or-delay" rule? Last time this came up I assumed that it was to encourage folks who had 95% of the tools/initiative to start using crypto techniques on a day-to-day basis to get off their asses and do so; but other people seem to have different ideas about the purpose(s) of such a practice. Some of the reasons I've explained just recently. You are correct in the reason you state, also. Providing an incentive for those who are mostly there already will push many to act. I think that is a good thing. One benefit I did not anticipate is an outcome of the large number of people actually having gone through the process of setting up their own signing mechanisms. There are many more people now who have hands-on experience setting these crypto mechanisms for themselves and who consequently have a much better understanding of the implementation issues involved. For some problems action is ten times more effective than theorizing. I think it might be interesting to try the "sign-or-delay" rule on a part-time basis - perhaps weekends only, or never on weekends, or only during December, or whatever. This is a good suggestion. It makes the transition even more gradual. Eric
participants (4)
-
eric@remailer.net -
Greg Broiles -
Rick Busdiecker -
tcmay@netcom.com