UCENET II and Peter duh Silva

Charlie Comsec comsec at nym.alias.net
Tue Dec 16 08:48:45 PST 1997 


-----BEGIN PGP SIGNED MESSAGE-----

Information Security <The at NSA.sucks> wrote:

> :   While that's technically true, it's even more true of non-anonymous e-mail
> :   addresses.  Usenet posts are much easier to forge than PGP signatures, and
> :   it's quite simple to sign up for a throwaway e-mail account under an assumed
> :   name.  It's not very secure from a privacy standpoint, but it's even less
> :   secure from a "positive ID" POV.
> :  
> :   At least with a PGP-signed anonymous post, readers are alerted up front that
> :   they are reading the work of an author who is withholding his/her identity.
> :   But if you read a post from "john_smith at hotmail.com", is it really someone
> :   named "John Smith" or not?
>    
> I'm not following this...anyone can generate PGP keys, and digital signatures
> are not necessary to indentify an account...

Sure, anyone can generate a PGP key.  It's almost as easy as generating a
throwaway e-mail address.  And what does posting from a certain e-mail address
or signing one's post with a certain PGP key prove?  It proves that the poster
KNEW a certain piece of INFORMATION, either an account password or a PGP
secret key.  It's usually inferred that the person who possesses that
information is the person who generated it.  Of the two, guessing a PGP
secret key is orders of magnitude harder than guessing someone's password,
logging on, and impersonating them.

In addition, PGP signing is "portable".  No matter where I post from, if I
sign my post with the same key, you can assume it's me who posted it.  It's 
more difficult to do that with an e-mail address.  Let's say that you have a
common name like "John Smith" and you post as jsmith at someisp.com.  Are you
saying that's your "identity"?  What if Someisp, Inc. suddenly files for
bankruptcy and shuts down without warning?  Did you lose your identity?

You could open a new account as "jsmith" somewhere else and claim you are
the same person who previously posted as jsmith at someisp.com, but so could
anyone else who desired to impersonate you.  If you were signing your posts
with a PGP key, then all you'd have to do is make a post from your new ISP,
sign it with the same key, and your "identity" is "transferred".

- ---
Finger <comsec at nym.alias.net> for PGP public key (Key ID=19BE8B0D)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBNJahmQbp0h8ZvosNAQEqmAf+IG/gtP4flSv/RPP7530NuD5MeMgH8WGo
75E/o+3GkN5Ksl0hL0bdpUhDvqeHnwsdc2xO5j0UEzqIZGKapa1YvJGK0wrUU/FB
UrUzcrHkvtXAdJD8GRTaA/Xgzjh2eJGOImzaIHbPOZBa4MPxYm7bEZaroHR2G2IP
AkNFbJzBETP9nLmePupRSqmhN8GwC5BLRLjkXLDDXJ/9s04vNoBGUEsv4aA0iRad
cdkHjHSs9FfOOTJPPG+GdDA+Z1LuyjnugcoTfYPtsu7PwgWE/tAxOCVPI6sHrhze
I1a4KZSVn1AoNd0ii7Mcw4Fp73SUcuZ74+EJovToOyBu++bqZdOYsA==
=jF0X
-----END PGP SIGNATURE-----

More information about the cypherpunks-legacy mailing list