Mr. Squirrel

[Hal]

||ugh Daniel raises some questions about using public keys to
verify pseudonyms:

>   Hal is somewhat right, anyone can use 'Secret Squirrel' and anyone
> can use any public key they want also.

But, once person A creates public key X, nobody else can sign messages
using X.  So if all messages from A are signed under X, we can know
that they are all from the same person, even if they are sent anonymously
or under a pseudonym.

> So, in a many-to-one scope (as
> in a maillist) where the sender can not use the one-on-one signed
> signiture method how do we have proff of who the sender really is?

You can use signatures even in a many-to-one scope.  Messages from
a particular person could be signed and the signature appended to
the message.  Then anyone who has the public key can check to see
who the message came from.  The process is a little unwieldy now
in PGP because you have to separate the signature and message into
separate files and run PGP on the signature file.  This should be
streamlined.

> [Good points about keeping track of key-pseudonym pairs]
> But all this needs to be done automaticly by the mailers and
> interfaces, else the system will be mis-used and folks will tire of
> the extra work that gets them little advantage.

Absolutely.  The most crying need now, IMO, is to better integrate the
cryptographic tools into mail readers and senders, so that it's not
such a pain to use these things.  People should be able to give a single
command or press a button to decrypt an incoming message or encrypt an
outgoing one.  Only then will these features be used by average people.

There was a message posted on alt.security.pgp describing how to
use PGP with the Emacs mail reading program.  I'd like to see more
messages telling how to use it with other systems.

Hal
74076.1041 at compuserve.com