-----BEGIN PGP SIGNED MESSAGE----- Bill Stewart wrote:
At 01:21 AM 11/10/1997 +0100, Necessarily Knot, ME wrote:
I am including the key (below) for my new nym, which has not been used before, and would like for people to sign it and send the signed key to the list. This way, people will know by the signature, that it is, indeed: Necessarily Knot, ME
This was bizarre - what did you do to create the key and the ASCII version? I imported the key into my PGP 5.0, and saw the double-key icon, which says I have the private key as well as the public key, and sure enough, it was willing to let me change the passphrase (which was previously not set.)
I was testing the procedure outlined in Epilogue 5 of InfoWar on a friend's machine and, sure enough, I got PGP 2.62 to spit out the private key he had created as Necessarily Knott, ME.
I'm not sure how comfortable I am signing a key which has the private keys made public - so I signed it, and revoked it, and you're welcome to the signed revocation certificate :-)
Perhaps we have inadvertently taken key-signing to a new level. i.e. - develop software that will allow a user to have another user sign the key and then, when revoked, the software allows the user to sign with the revoked key, but not to recreate it or change it in any way. The software could be marketed to cryptographers with low self-esteem.
The keyserver says it accepted the certificate, but doesn't find it when I query it for the key, but then it did that to me earlier today, so I'm not sure if it's there or not. (It's the server at http://www.pgp.com/keyserver/pks-lookup.cgi .)
I added the secret key to the keyserver, and it also said it had accepted it, but does not show it on a query.
The KeyID was 0x61C747B1 - 512-bit RSA
- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP for Personal Privacy 5.0
mQBNAzRmZWoAAAECAMnJrqd/TERCLeFscdgNvwVxrVG4tRm0VThMEXXkctCGMaUD jcETxcV0ZseRUcyUKfqlLd3CRsIwClozlWHHR7EABRGJAFUDBSA0bAHUClozlWHH R7EBARcXAf9oQLI0CvkPpxPLcUgdlolZ6J9Y5f5AAeX169o6SPtxaJBaHp0C39+0 h4EimgD+TB4kiCWvklDhkTDckAxweIjbtBVOZWNlc3NhcmlseSBLbm90dCwgTUWJ AJUDBRA0bAGS+fMmybV+y8UBAYRCA/99H8XcS1h0X0l2vQ5zPqmOSiYQ0mfi5dXZ iMOlqlnFzVyus3L6sIr9X7Xyzg8emaNfLslQBqiagLRyVVc6e5wTVSXOKQoMzqTm s26OA/e+/1oZHx3mCgrJm2YWyjOVm8Vx1BwbrFSgTVgdiaKbeVKrj9Zbx178BYqs Gd1RHLXjWQ== =ANSy - -----END PGP PUBLIC KEY BLOCK-----
But hey, since I've got this bogus key around, might as well sign something with it :-) -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv
iQBVAwUBNGwEogpaM5Vhx0exAQGupAH/duqAF915VFqxcFHk3wlmXzmU2DDQv9nP 6FM0rU2MSfiFmfQu76dBAyriBAdEzk1Ry+oyZiWIlixGZYbLaXLU8Q== =5ZQC -----END PGP SIGNATURE-----
Yep. That confirms that your message was sent by someone who is Neccesarily Knott, ME. Took a few days for you to reply to the message. Have you been waiting for the wee hours to see if you could narrow down the list of senders by seeing who is online at the time you receive a reply? I could add latency to this anonymous email, but that would be tacky. Necessarily Knott, ME -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQBVAwUBNGwftQpaM5Vhx0exAQGYzAH9HMbEev5KxJs9cqzYm4wbXv8+7Atxx5D/ gymQS2nhxp2aupDIewq9JkzK++VN7JAZJqyexrimiOh7ndvwI7ZOvA== =H6JV -----END PGP SIGNATURE-----
At 5:03 am -0500 on 11/14/97, Anonymous wrote:
I was testing the procedure outlined in Epilogue 5 of InfoWar on a friend's machine and, sure enough, I got PGP 2.62 to spit out the private key he had created as Necessarily Knott, ME.
True confession time. Last March, when I was clearly still figuring PGP out, while experimenting with a nameless Mac PGP crypto package (hint, it wasn't built here on this side of the pond) based on 2.6.2, I accidentally exported my private key and sent it to someone famous so they could sign it. Fortunately, that person (hint, he knew PRZ, once, and got in trouble for it) physically showed up to visit me where I was working at the time, and stood over me while I genned up a new private key (I went to 2048 then) and revoked the old one, talking all the time about how many ways he could do a dictionary for the passphrase... I was feeling pretty stupid until he told me that PRZ did the same thing, back when they were playing with the original version of PGP. Actually, I still felt stupid after that. Believe it... or not. So, anyone want to bet that this key was done the same way? Except, how was Bill able to change the passphrase if he didn't know the old one? Curiouser and curiouser... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ Ask me about FC98 in Anguilla!: http://www.fc98.ai/
At 02:47 PM 11/14/1997 -0500, Robert Hettinga wrote:
Except, how was Bill able to change the passphrase if he didn't know the old one?
It's one of Richard Stallman's old passwords..... I was surprised that PGP 5.0 does the right thing when the passphrase is empty - it's one of those things that's easy to miss, and in C often leads to bad behaviour. Thanks! Bill Bill Stewart, stewarts@ix.netcom.com Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (3)
-
Bill Stewart
-
nobody@REPLAY.COM
-
Robert Hettinga