-----BEGIN PGP SIGNED MESSAGE----- I don't think the security problems of Eric's proposal are as bad as some have suggested. People could create a separate, "lower security," public key for use on multi-user systems, with a different pass phrase than for their "high security" key. Perhaps the key could have an appropriately small size of about 400 bits. It would still be far more work to break the security of such a system than to forge mail across the network (which is easy). So such a system does enhance security over the existing system of unsigned messages. As for the argument that people don't have access to signature systems - PGP illegal in the U.S., PEM/RIPEM unavailable outside the U.S. - just turn these around: PGP legal and available outside the U.S., PEM/RIPEM legal and available inside the U.S. Everyone has access to legal encryption and signature software. One problem I see with Eric's suggestion is that it is couched in terms which suggest our main business here is debate. Eric suggests that a delay in having your message appear is to your disadvantage because your opponent's arguments will stand unrefuted for a time. Recently the list has been pretty contentious, but historically there has been much less debate here than on many other lists, and I would hope that we could return to that approach. It would be better if we could exchange information, ideas, approaches for reaching the goals we share. In such an environment a delay in the posting of a good idea is to everyone's detriment and does not particularly harm the person whose ideas were slow to appear. Still, I support Eric's basic goal of encouraging more use of the technologies we talk so much about. I will remind people that I make an encrypted version of the cypherpunks list available to anyone who has a PGP public key which includes their address. There are only a few sub- scribers now but if you'd like to try it send me your PGP public key and I'll add you to the list. I'd suggest trying it for a few days before cancelling your regular CP subscription to make sure you can handle the encrypted traffic. Ironically, our anonymous posters, who have generated so much controversy of late, are at least using the technology. Maybe if we do implement some form of Eric's idea we should give the preferential treatment to anonymous posters as well as signed messages. People can post anonymously without having to expose any secret information, which should address the security concerns mentioned above. I'm sending this message with the following headers, which direct replies back to my address. This reduces the biggest inconvenience with using remailers, the inability to get replies: :: Request-Remailing-To: cypherpunks@toad.com ## Reply-To: hfinney@shell.portal.com One more point. I was the one who initially implemented the clear-sign feature in PGP. I copied the idea from PEM, but put the signature info at the end. (I still think that putting it at the beginning was a silly idea.) When I wrote it I didn't have the blank lines around the ----- separators. Branko added those and also add the Version: line (which is ignored by the software). I still like my format better, as I think the signatures should add as little as possible. But have you seen what these PEM signatures look like? I've seen a couple on sci.crypt and I almost fell out of the chair laughing. First, the guy had to _manually_move_ the signature from the beginning to the end to get it out of the way. But, worse, the signature is like thirty or forty lines long! I kid you not. The guy posts a message of about a (24-line) screenful then it has like two screenfuls of signature information. It looks ludicrous. No wonder he had to move the signature to the end - otherwise people would have given up before they even got to his message. (In fairness, these PEM signatures are self-checking; PGP signatures require you to get the key on your own. I'm not sure if a non-self-checking PEM signature mode exists.) Hal Finney hfinney@shell.portal.com -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLMnCI6gTA69YIUw3AQHs2AP5Ae64wUfiNa4/yborffvMry1MAt9chF05 9Bdz3NupXkWU1GNbmniFKDnU+GdGR+Tuu3HgwwV7N55EjLY7SclOaLBxKXySD25X sAlwlH1yDZO/ly5UxKakdaPKR4nzIZZjPZ8ZoCkDszoNcxERj/nF7l7zLYP3eXF+ GG+YBHenSL4= =/09p -----END PGP SIGNATURE-----