ADMIN: proposed new policy on the mailing list

Matt Blaze mab at crypto.com
Sat Oct 23 11:43:26 PDT 1993


Oops, forgot to cc this to the list:

While I'm all for encouraging the use of digital signatures, I think this
is a bad idea.  The fact is there is not yet a truely generally available
method for digitally signing messages, and there are two competing standards
from which to choose as it is.  Just how should messages be signed?  PEM?
PGP?  What consititues a valid certificate?  (Actually, this question when
applied to your proposal underscores the inadequacy of both systems in
processing heterogeneous signatures - pgp imposes too little structure
and pem imposes too much.  But that's another story).

Then there's the practical problem that some people simply can't use a
particular signature technique with exisiting software and systems.
These people include:

- People outside the US and Canada, who can't legally use any PEM
implementation of which I'm aware because of restrictions on RSAREF.

- People in the US who can't use PGP because they're afraid to.

- People in the US who want to use PGP but can't because the people who
own/operate the computers they use won't let them.  Some people on public
access and university systems and many people in lawsuit-conscious large
companies with deep pockets are included here.

- People who would love to use PGP or PEM but don't see the point because
they don't fully trust the system on which they would sign their messages.
Anyone who uses anything but a private, single-user workstation SHOULD
be in this category.

- People who would love to use PGP or PEM but can't because they don't have
a working implementation of their secure mailer of choice for their particular
machine/OS.

Do we really want to exclude these people from full participation?  If so,
I suspect this would eliminate a few of the most valuable contributors to the
list.

Again, I don't thing this CONCEPT is a bad one, only that this particular
IMPLEMENTATION is premature in the absence of better and more ubiquitous
signature tools.

-matt (also unsigned, also known as mab at research.att.com)







More information about the cypherpunks-legacy mailing list