From: Alan Pugh Area: Public Key Encryption To: Jim Bell 18 Jan 95 18:58:04 Subject: Re: Can I Freq Pgp? UpdReq =-lots of reasoned discourse snipped= JB> "Strength in numbers," in other words. In effect, a favorable JB> interpretation of the law can actually be forced on the government, by JB> a reasonable concerted effort. But only if enough people with enough JB> guts (and in this case, it doesn't take much) work together. indeed. there is strength in numbers. however, if you are going to use encryption, it is important to make encrypted mail acceptable in the public's mind as well. i wish more fido echos would allow pgp encrypted traffic. i know that when i post on nets that allow this, i occasionally get a "what's this?" type post, which allows me to explain that there is nothing evil about encryption, and make the point that it is merely an envelope for your thoughts -(the postal analogy is especially powerful for some reason). some would claim that allowing encryption in echo traffic will cause a deluge of such posting that would swamp the public nature of the net. this is not the case, except in echos where traffic is _supposed_ to be encrypted. people have a pretty good idea of what is reasonable and what is not. there are some sysops who seem to believe that encrypted traffic somehow leaves them open to some legal (or extra-legal) sanction. when i post messages to specific people on the internet i almost exclusively do so using pgp. i've never had any problem doing so unless the recipient is on fido because some sysops won't even pass encrypted _netmail_. encrypted traffic _will_ become more common in the future as the tools for doing so are improving and becoming easier to use. corporations will demand it. the government, despite their best efforts will not be able to stop it. we happen to be on the bleeding edge of this curve. i really like fido and related nets, which is why i read and post here and in more areas than i can sanely keep up with, but as a network, fido needs to grow up a little. amp <0003701548@mcimail.com> January 18, 1995 18:58 ... Hello, I am part number 201434369420143436942014343694201434369420143436942014343694718 From: jason carr Area: Public Key Encryption To: mark lewis 21 Jan 95 12:23:42 Subject: KEY REVOKE UpdReq -----BEGIN PGP SIGNED MESSAGE----- mark lewis wrote in a message to jason carr: ml> did you actually try this? what happened to the revocation ml> on the secret key? THAT is the main question. of course we Nope, it's all conjecture at this point. I'm just theorizing so far. ml> can always pull a copy of the unrevoked key from somewhere ml> else but we can't really do that with the secret key, unless ml> we have a backup copy somewhere and that, in itself flys in ml> the face of security and the issues involved... =====from the docs Revoking a Public Key --------------------- ... What If You Lose Your Secret Key? --------------------------------- Normally, if you want to revoke your own secret key, you can use the "-kd" command to issue a revocation certificate, signed with your own secret key (see "Revoking a Public Key"). ====end I suspect that the revocation of the secret key is stored in the revocation of the pubkey. IOW, I dun think the seckey is actually "touched" in any way. This weekend I'll do a revocation on a backup copy and see if the date/timestamp on the seckey changes. jason ... All the world's a Schroedinger box & we are merely kitties -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP_ECHO: CypherEcho to the gods... iQCVAwUBLyFvE0jhGzlN9lCZAQHIDwP+MfG6yztlvPURp3B0BtOcWh83OgEZBaQQ e/7/63TYX5bMGOD8lJHrnjUsuF6OGO3di7ONZrVJT/xiJygNJeXNbMpYWLY+gOXW LVTAREBM6I8TGkgXJ5fOjQwN5L1oDlWD0k7Nu7Jv6v5n5++ZhkBhRA3fB08IAU8M L6Szdi0hxYg= =EB0e -----END PGP SIGNATURE----- ... Key fingerprint = 60 97 B2 AE 7D 90 11 2F 05 1C 35 98 E9 B9 83 61 201434369420143436942014343694201434369420143436942014343694718 From: Ian Hebert Area: Public Key Encryption To: Gordon Campbell 21 Jan 95 10:10:10 Subject: Can I Freq Pgp? UpdReq GC> On (08 Jan 95) Ian Hebert wrote to John Goerzen... GC> IH> Technically, citizens of both the U.S. and Canada are subject to GC> IH> ITAR, and therefore both may legally obtain PGP 2.6.2. I would GC> IH> urge Canadians, though, to use PGP 2.6.i. GC> I'd argue this point. Canadians are subject to ITAR only to the point GC> that we are allowed to use the versions that are subject to it. The GC> export restrictions are not enforceable in Canada. Hi Gordon! Actually, we're both right.... You're right in that the American export restrictions don't apply in Canada, and I'm right in that External Affairs has our own version of export controls, which largely parallel (and in some ways are even worse than) the American legislation. I used to work for a Fortune 500 copier company, in their import/export department; I can remember being outraged at the statement of one of my colleagues that we had to get an export permit from WASHINGTON to export some goods from Canada to Britain! (A little while later Muldoon & Company implemented similar controls, so that one had to apply to Ottawa, but when one applied to Ottawa, they still checked with Washington.... sigh....) Ian Hebert London, Ontario, Canada RIME: HOMEBASE (5508) Fido: 1:2401/114 Internet: ian.hebert@homebase.com PGP Key: 1024 / 077A2F7F 1993/02/11 PGP Key Fingerprint: A2 15 DE 22 DA FE D4 DC 0F 17 43 24 1F F2 1E 7B 201434369420143436942014343694201434369420143436942014343694718 From: Ian Hebert Area: Public Key Encryption To: Rich Veraa 21 Jan 95 10:12:10 Subject: Can I Freq Pgp? UpdReq RV> In a message to Ian Hebert, Gordon Campbell wrote: RV> IH> Technically, citizens of both the U.S. and Canada are subject to RV> IH> ITAR, and therefore both may legally obtain PGP 2.6.2. I would RV> IH> urge Canadians, though, to use PGP 2.6.i. RV> GC> I'd argue this point. Canadians are subject to ITAR only to RV> GC> the point that we are allowed to use the versions that are RV> GC> subject to it. The export restrictions are not enforceable RV> GC> in Canada. RV> Are you sure that's still true? I thought there was something in RV> NAFTA about Canada adopting a whole bunch of US laws, including RV> ITAR. (just asking; I don't know for sure) I heard that had something to do with acknowledging the validity of patents of the other signatories to NAFTA, but I don't have any details... Ian Hebert London, Ontario, Canada RIME: HOMEBASE (5508) Fido: 1:2401/114 Internet: ian.hebert@homebase.com PGP Key: 1024 / 077A2F7F 1993/02/11 PGP Key Fingerprint: A2 15 DE 22 DA FE D4 DC 0F 17 43 24 1F F2 1E 7B 201434369420143436942014343694201434369420143436942014343694718 From: Ian Hebert Area: Public Key Encryption To: Richard Dale 21 Jan 95 10:15:10 Subject: Re: KEY REVOKE UpdReq -=> Quoting Richard Dale to Jason Carr <=- RD> I encrypted a bunch of files (as "messages" to myself) using PGP RD> 2.3a. For some reason I thought you had to generate a new key RD> when switching to 2.6x. Apparently that is not the case. I RD> believe I could have simply used the 2.3a key, moving it over to RD> 2.6x. In any case, I now have a 1024-bit and a 2047-bit key on RD> 2.6.2, and can decrypt messages/files sent with either key. I RD> suspect that if I put the 2.3a key on my ring, I can decrypt the RD> files without having to move to a second computer, use 2.3a to RD> decrypt them, copy them over to this computer, and re-encrypt them RD> with 2.6.2. The keys for the most part, are completely compatible--my 1024-bit key was generated using PGP 2.1; I didn't add signatures until 2.3a. RD> If you take precautions, you can play around with PGP and have no RD> worries. If you don't make the back-ups, you can find yourself RD> erasing some files which can never be decrypted. I found that out RD> the hard way. I didn't lose anything, as I was working on copies, RD> but it helped me learn what to do. That's excellent advice--keep multiple backups in multiple places, preferably on floppies.... you can't go too wrong that way.... Ian Hebert London, Ontario, Canada RIME: HOMEBASE (5508) Fido: 1:2401/114 Internet: ian.hebert@homebase.com PGP Key: 1024 / 077A2F7F 1993/02/11 PGP Key Fingerprint: A2 15 DE 22 DA FE D4 DC 0F 17 43 24 1F F2 1E 7B ... Catch the Blue Wave! ___ Blue Wave/QWK v2.12 201434369420143436942014343694201434369420143436942014343694718 From: Ian Hebert Area: Public Key Encryption To: Christopher Baker 21 Jan 95 10:15:10 Subject: Verifying PGP Keys˙˙˙˙˙˙˙ UpdReq CB> you should NEVER certify a key you have not personally obtained directly CB> from the source. It might be better to say that you should never certify a key that you have not verified personally with the source; you could get a key from a keyserver, and if the source validates the fingerprint then the key is valid. It is not necessary to get the key directly from the source everytime, although it is a good idea when feasible. Ian Hebert London, Ontario, Canada RIME: HOMEBASE (5508) Fido: 1:2401/114 Internet: ian.hebert@homebase.com PGP Key: 1024 / 077A2F7F 1993/02/11 PGP Key Fingerprint: A2 15 DE 22 DA FE D4 DC 0F 17 43 24 1F F2 1E 7B 201434369420143436942014343694201434369420143436942014343694718 From: Tim Witteveen Area: Public Key Encryption To: All 19 Jan 95 19:02:00 Subject: PGP and BWave UpdReq Hints Please.... I recently acuired PGP 2.6.2. I have tried to send a message to the friend who gave it to me. I am useing BWave 2.12 Off-line mail reader. How should I go about actually doing this. Do you find it easier to write your messages before or after you go into your Mail-reader? If you do write it before, do you sign and/or encrypt it before you load it into your reader, or do you wait until you have your reader open, write your message, save it, shell to dos, sign, encrypt and ASCII armour it, then add your address to the top line? I would appreciate any hints or help with this. I have not had any luck so far. Tim Witteveen ... Back up my hard disk? I can't find the reverse switch! ___ Blue Wave/QWK v2.12 201434369420143436942014343694201434369420143436942014343694718 From: Wes Perkhiser Area: Public Key Encryption To: jason carr 20 Jan 95 10:04:42 Subject: KEY REVOKE UpdReq In a message of , jason carr (1:124/3208@fidonet.org) writes: jc>OK, let's try it this way. Here are the steps involved in jc>properly jc>revoking a key and storing the revocation off the pubkey. I will Well, I HATE to admit I might have been wrong, but it looks like your way will work if you answer "NO" when PGP asks if you want to remove the secret key as well. I would have sworn that the revocation would also revoke the secret key as well, but it looks like it only affects the public half. At least, I tried your way and it DID work. Is the failure to effect the secret key a bug or a feature? Wes 201434369420143436942014343694201434369420143436942014343694718 From: Mike Riddle Area: Public Key Encryption To: Wes Perkhiser 21 Jan 95 06:41:42 Subject: KEY REVOKE UpdReq In a message to jason carr on Jan 20 95 at 10:04, Wes Perkhiser wrote: WP> I would have sworn that the revocation would also revoke WP> the secret key as well, but it looks like it only affects WP> the public half. At least, I tried your way and it DID WP> work. Is the failure to effect the secret key a bug or a WP> feature? Feature? There's always 10% that don't get the word. If your key was compromised, you wouldn't people to use the old one, so you still need to send the revocation out everywhere. And at least you will be able to see what message might have been compromised if someone trusted confidential stuff to an insecure key. You could do damage assessment. But if your was a periodic supercession, which is what most of ours have been, it doesn't hurt to use the old one for a while and you'll still be able to. Remember that unless instructed differently, PGP uses the last key added as the default. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Tim Witteveen 23 Jan 95 11:10:34 Subject: PGP and BWave UpdReq Despite the stern warnings of the tribal elders, Tim Witteveen said this to All: TW> I recently acuired PGP 2.6.2. I have tried to send a message to the friend TW> who gave it to me. I am useing BWave 2.12 Off-line mail reader. How should TW> I go about actually doing this. Personally, I use PGPBLUE and let it handle everything. Filenames at 1:396/1: PBLOS230.ZIP OS/2 version PGPBLU30.ZIP DOS version If you'll download his filelist, you'll find there are several other programs designed to integrate PGP with Bluewave. If you wish to write batch files to handle this, the sequence should go something like this: You tell Bluewave you want to write a message. It calls your batch file. Batch file calls editor, you edit message. Exit editor, batch file asks if you want to encrypt, sign, sign and encrypt, or exit. Jumps to appropriate section. Batch file exits, returns you to Bluewave, where you add a tagline. All done. The problem with this method is it doesn't work for READING encrypted messages, unless you have a third-party utility that strips the Xx> from the beginning of quotes. PGP will barf on those lines, you see. Said utility isn't too hard to write, but you darn sure don't want to try to write it in MSDOS or OS/2 batch language. REXX will work, or any compiled language. Use a program like PGPBlue, and you don't need to write anything. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Wes Perkhiser 23 Jan 95 11:12:24 Subject: KEY REVOKE UpdReq Despite the stern warnings of the tribal elders, Wes Perkhiser said this to jason carr: WP> Is the failure to effect the secret key a bug or a feature? Say you revoke your key. The next day, you receive some mail from a guy who doesn't know you've revoked it yet. If your secret key is revoked, you can't read the message. 201434369420143436942014343694201434369420143436942014343694718 From: The Satanist Area: Public Key Encryption To: All 22 Jan 95 16:44:42 Subject: test UpdReq Test message. Reply requested. 201434369420143436942014343694201434369420143436942014343694718