From: Wes Landaker Area: Public Key Encryption To: All 19 Nov 94 17:14:28 Subject: PGP 2.6.2 OS/2 compile? UpdReq -----BEGIN PGP SIGNED MESSAGE----- Hello All! Is there an OS/2 compile of PGP 2.6.2 out yet? =) If it's already been mentioned in here, I must have missed it completely. wjl [Team OS/2] * 1:202/322@fidonet.org * wjl@dstorm.jd.com * * UUCP: nosc!jadpc!dstorm!wjl * PGP Key: C0E9A805 * FREQ: PGPKEY * -----BEGIN PGP SIGNATURE----- Version: 2.61 iQCVAwUBLs6jEQUBVGzA6agFAQFiWgP8CBeL2Zi5nMCRfLrwNAkGaRP3+uUuji7X kMU+E9MojXHScP/On38vtRY0BVgRJlxG3ZdMrlbBiHd7hXspbkCL9ghekAU5LYvl bXDlJXhhb+2vTnTuNmKK+uno4XTT4VZWmfGlWgX2dhEMurcvIIWO4UMXZxz7JZp2 3lnojleur1s= =MYz4 -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: John Mudge Area: Public Key Encryption To: Jim Cannell 19 Nov 94 07:37:04 Subject: PKZIP security UpdReq Hello Jim! Saturday November 12 1994, Jim Cannell writes to All: JC> Does anyone know about a method for cracking PKZIP passwords? Is there JC> a program (or a least an algorithm) available for this? If so, where JC> can I get a copy. Thanks. ZIPHACK.ZIP can be FREQed from here. I suspect it was written for PKZIP 1.10 and quite possibly is of no value on PKZIP 2.04g files. I have no experience using it. John Mudge jmudge@wln.com 201434369420143436942014343694201434369420143436942014343694718 From: John Mudge Area: Public Key Encryption To: Jim Cannell 19 Nov 94 08:25:00 Subject: PKZIP Crack UpdReq Hello Jim! After I left a message about ZIPHACK.ZIP, I freqed a copy of PKZCRACK.ZIP from Scott Mills. His archive contains both CRACK.EXE and ZIPCRACK.EXE. Mine contains a file called CRACK2.EXE. Looking at the two versions of CRACK*.EXE using LIST.COM indicates that both are CRACK.EXE V2.0 from a group in Russia. The two files have different dates from the one imbedded in the .EXE and they differ in size, however. I have both available for FREQ but recommend extreme caution due to these discrepancies. CAREFULLY scan them for viruses, etc. I have not unarchived either one and have not tried using them. I cannot vouch for either and do suspect tampering. John Mudge jmudge@wln.com 201434369420143436942014343694201434369420143436942014343694718 From: Jim Gillispie Area: Public Key Encryption To: Basil Hoyl 19 Nov 94 23:21:00 Subject: Lawyer 1/4 UpdReq Hello Basil! 16 Nov 94 14:50, Basil Hoyl wrote to All: BH> Jim Gillispie wrote: JG>> If you really want to put your key out and let folks , JG>> know who you are then write that stuff in the beginning JG>> of your message and then attach/import your extracted JG>> key into the bottom of the message. You can then . JG>> clear sign the message with your key to verify its JG>> to add it to their keyring, but it lessens the _size_ of JG>> their accuracy Granted clear signing it makes it a little JG>> more difficult for someone keyring tremendously.... In JG>> the long run though, the only thing that concerns me JG>> with someone's key is that it can be verified..... Other JG>> than that, Did the above come accross this way or is it the result of your edits? Just curious if I need to check my mail software. BH> Not all people will have the text file associated with the key. Hmm. Well yeah I suppose that's correct if they got your key second hand (i.e. from a source other than PKEY_DROP) so here's another option: Put a comment block in with your key. This will be plain text like the VERSION: line and I 'think' that it shows on Public Key Blocks. If it in fact does no one could delete this line(s) without invalidating the key. JG>> I really don't care _who_ you say you are on a PGP JG>> level. If I want to know _who_ you are, I'll initiate a JG>> _conversation_ with you to investigate just that. As for BH> The problem with initiating a conversation to determine who BH> a person is centers on the anonymity of pgp keys and BH> communication. I'm not sure where you're going with the anonymity issue here. Could you expound a bit? BH> If I would like to communicate with a BH> particular person, I probably already know that person and BH> what I would like to say to that person, and why it must be BH> confidential. If I have a particular need to communicate on a BH> particular topic, and I wish that not everyone have access to BH> the contents of my communication, then the issue is twofold; BH> first that I can find the right person to meet my needs, and BH> second that the person I find is actually that person and not BH> some government agent masquerading as a human. :) This is an issue discussed in Phil's eloquent babblings in the PGP docs. He emphasises the importance of face-to-face, or bullet proof, verification of someones identity. Anyone can _say_ they are anything they desire. Take yourself for instance; you claim to be a lawyer, but how do I know in fact that you are? You could actually be an agent of the IRS or NSA trying to covertly subvert the public and snag would be tax (or other) criminals under the guise of claiming to be a lawyer (extreme example filled with paranoia ). The point is that I don't know you from Adam until I meet you personally or am introduced in some way by someone I unconditionally trust. BH> If BH> sufficient information is placed in the id section of a public BH> key, then the first of these two criteria is facilitated. Not really, see above. BH> The BH> second is still up to the individuals. In other words, if you BH> have a large key ring filled with "John Smith" and "Gaylord BH> Perry" how would you know to whom to write in code in BH> order to learn how to throw a spit ball in major league BH> baseball unless you already knew the person. I doubt even "Goose" Gossage or Nolan Ryan could teach me to throw a Major League spit-ball via e-mail . BH> I suggest that BH> the type of expertise you have should be placed in the id field BH> to further identify the person and demonstrate WHO THAT BH> PERSON IS by identifying the person not only by name but BH> also by expertise, etc... As I have stated above, the only way for me to know _who_ you really are is to get some face time with you. Either that or do a background check on you. JG>> I did pull in your public key to my keyring and it JG>> damned near brought my 386DX/33 to its cyber-knees. BH> Memory and the limitations of PGP may be a valid concern. BH> I do not know how PGP keeps large public keys in memory. BH> Must the machine have sufficient ram to contain the entire key BH> at one time? If this is the case, then it might be important to BH> keep the id fields small. I'm not certain about how much of the key PGP keeps in at one time (I've got the source code but haven't poured over all of it at this time). I do know that it makes extensive use of Multi-Precision Integers (MPIs) These are _really_ huge numbers stored at the bit level over up to 256 (i think) bytes of data. It uses these numbers to perform various tasks. Additionally, my computer I'm using here isn't a pup. I've got 20 meg of memory in this box so the memory constraint ain't a problem. The problem comes from PGP having to sift through and decrypt all of the information stored in my key-ring. Each separate part of a key-ring is stored in a 'packet'. There are tons of them in a typical key; for instance: key-id, user-id, timestamp, public-key, signature, message digest, compressed data, literal data, comment, secret-key, public key certificate, keyring trust. PGP has to 'digest' all of these when working with a given keyring. Some of them may contain one or more of the other packets. Such as a public key; it contains the key-id, user-id, timestamp, message digest, literal data, comment, and one or more signatures. So, as you can see, the CPU resources needed to digest a key can increase exponentially as you increase the size of your key. BH> John Schofield wrote: JS>> First of all, your act was not immoral. However, it was JS>> very annoying. I only found it _mildly_ annoying. I know how to delete user-ids I don't wish to have on my key-ring and your additional user-ids/admonishments are removable. JS>> I have no qualms with someone putting JS>> as their user ID "John Smith (Lisp JS>> programmer)" I would have had no problem with you JS>> putting "(Tax Lawyer)" after your ID. I have mixed feelings on this. I'm not opposed to advertising, I could put that I'm a programmer/analyst in my key I suppose, but why? The purpose of PGP as I see it is not to conduct blind communications via secure channels, it is to provide secure communications with individuals whom you infact know and/or trust when face time is not available or appropriate. Jim 201434369420143436942014343694201434369420143436942014343694718 From: Jim Gillispie Area: Public Key Encryption To: Basil Hoyl 20 Nov 94 00:09:00 Subject: Lawyer 2/4 UpdReq Hello Basil! 16 Nov 94 14:52, Basil Hoyl wrote to All: BH> Perhaps I included too much information. (for a lawyer to BH> keep information to only one screen of verbiage was to my BH> mind something of a success) :) My sister and brother-in-law are both attorneys. 'nough said. BH> Perhaps the way to determine BH> how much information is enough or too much is to give some BH> thought to the size of an ascii pgp public key file. Mine was BH> about 1700. (now down to less than 800) This also goes to BH> Mr. Gillispie's concerns about memory problems for large BH> keys. What do you (the reader) think about the maximum size BH> of an ascii pgp public ring? I guess the rule of thumb would be determined by how many people you actually maintain secure communications with. If you're using a Pentium90 with 256Meg of memory key size won't be much of an issue , on the other hand if you are running on an 8088 with 256K you might want to arbitrarilly add and remove keys based upon who you are communicating with at any given time. My ring has expanded quite a bit in the last month or so. I think it's up to around 40 or 50 different people. As such I know that I pay a performance price in working with it. The thing that blew me away with your key was that: when I added it I had only about ten people on my key and it took my machine about 5 seconds to read in my key-ring, after adding your key the time jumped up to around 30+ seconds ( I actually had to hit the Caps Lock key to verify that my machine wasn't locked). If everyone included as many user-ids as your key had on it PGP would damned near require a Pentium90 with 256K RAM and SCSI-2 running Unix or OS/2 just to handle a 20 user key-ring. Okay, maybe I'm exagerating, but not by much. JS>> Plus, you were advertising for a Texas-based law firm in JS>> a forum that is read all over the world. Worse yet, your JS>> key will be added to key-servers located in many JS>> different countries. Ninety-nine percent of the people JS>> who will see your key have no possible use for you. I JS>> have no need for your services. This gets back to the anonymity thread again. Say I'm involved in the organization of public militias (something our Gov't here in the states don't want). Why in gods name would I put that in my public key and then post it on a public conference? Uh, excuse me here but I just violated my own personal anonymity didn't I? I post my key so that people who wish to send me _private_ and _secure_ mail may do so, period. What possible reason would I have to send Bill Clinton PGP encrypted mail (other than to piss him off )? If I send you encrypted mail it is because I _know_ you and want to keep our conversation private. BH> I would be happy to discuss topics relating to law BH> with individuals in Russia or South Africa, and they might not BH> wish their communications to be publicly read! If you were in such a situation, would you really initiate or participate in a conversation with someone you haven't actually met and knew, on a subject that could possibly put you in jeopardy? I certainly would not. BH> Someone in BH> Miami or New York of Los Angeles might have interesting BH> discussions of the United States Code which they do not wish BH> to have publicized. See above. BH> Why did I choose the form I chose to list these BH> things? First and foremost, I wanted to include "key words" BH> so that if someone had a particular interest and they typed in BH> a key word, my key would appear as an option. Let's say I have a particular interest in exterminating lawyers and attorneys because I just got cleaned out in a bitter divorce settlement. Do you want me to have this easy of access to your name and location? From the info you provided it would take very little effort on my part to hunt you down like a crippled deer. Not a situation I'd want to be in. Granted that's an extreme, but we _are_ talking about privacy here. BH> Second, if BH> they had use of my experience, knowledge or services, they BH> could contact me, and if they just wanted to chat, they knew BH> the areas of my expertise and knew what I did for a living. None of which is the intended purpose of Public-Key Encryption. The purpose (and this is only my opinion based upon my interpretations of Phil's writings) is to provide a means of 'sealing your e-mail envelope'. I don't write letters to people I don't know something about; it's a waste of good postage. BH> PGP is what we make of it. It is written to allow several ID BH> fields to fully identify the person whose key is listed. I chose BH> to make full use of this ability of the program. You may not BH> choose to use it to find a penpal. If you have private BH> messages to send to people, you can place those persons on BH> your special public key ring. If you are dealing with large BH> key rings containing the keys of numerous people you never BH> met and do not know, why do you have the key ring in the BH> first place? The only reason you should have a ring of that BH> nature is if the individual keys so fully identify the person BH> that you know their name, how trusted the key is, how to contact BH> them, and why you might wish to contact them (their expertise, BH> etc...) Without all these things, what use is such a public key BH> ring? I think you may be confusing the definition of 'public' in this context. Public here means that it is a means for anyone wishing to initiate private conversation with you may use this key so that _only_ you may read the contents of the message by using your secret key to decrypt it. It's not meant to be a directory service like the white/yellow pages. Jim 201434369420143436942014343694201434369420143436942014343694718 From: Jim Gillispie Area: Public Key Encryption To: Basil Hoyl 20 Nov 94 01:27:02 Subject: Lawyer 3/4 UpdReq Hello Basil! 16 Nov 94 14:54, Basil Hoyl wrote to All: SM>> I suggest an alternate strategy; just put an indication SM>> that you're an attorney, and the phone number of your SM>> office. Your present strategy will generate a lot of SM>> ill-will with net-heads; and after all, we're the only SM>> ones who'll see it. Bad marketing idea. BH> I agree that it is not an idea likely to generate business. BH> Again, you are probably correct that "net-heads" are the ones BH> most likely to encounter my pgp key. I am new to this pgp BH> group. Most of the time when I joined a new group in the BH> past, I am asked to introduce myself, and tell something about BH> who I am and what I do. PGP keys are rather impersonal BH> introductions and if I were in a group where a new individual BH> was asked to introduce himself and he merely stated his name BH> and sat down with nothing further, I would think that person BH> to be cold and rude. Try to think of it as "Howdy." If you want to say "Howdy" to the group then just say it. We don't need you to encrypt that to accept it. As I've stated before, you can say you are anyone you desire via this electronic media. I won't know that you infact are unless I meet you face-to-face, see some ID, and then run a full background check on you. Even then depending on who you infact are I could still be mis-informed. Just putting a bunch of text as added user-ids does not add any credibility to your identity. The courts are beginning to fill now with cases of people masquerading as someone they are not and then stalking the people they have conversed with via the Cyber-net. BH> Thomas Hughes wrote: TH>> jason carr wrote: TH> jc>> I think it's fairly obnoxious TH>> ditto. BH> Ok, I do appreciate the statement that "it" was fairly BH> obnoxious rather than my being fairly obnoxious. I do confess BH> to being obnoxious at times, but then I am a lawyer and it is BH> a professional hazard :) Never thought of it as a hazard, always thought it was a pre-requisite. At least that's the way I've treated my sister. BH> I would like to hear, good and bad, what others in the BH> conference think about this issue. Is it wrong to include in the BH> ID section of your public key such items as your profession, BH> snail mail address, or reasons why individuals might wish to BH> send messages to you? Should the ID field include key words BH> to topics in which you have expertise? What should be the BH> maximum Permissible size of an ascii armored pgp public key BH> file for distribution? I wouldn't say that anything you did was 'wrong', I think it violates your personal privacy a great deal though. And that privacy is the essence of PGP. I post in my key only what may be necessary to contact me via electronic mail. I don't post who I am, where I live, what I do, or what I know. I consider all of that to be information privy only to those whom I deem it necessary information to know. The key is there for people to send me private mail which they wish me to be the sole recipient and reader. I hope they _already_ know _who_ they are sending their mail to in the first place. BH> If I offended anyone, I apologize. You've gotta work a lot harder to offend me Basil. Jim p.s. Note that I didn't even PGP-sign this posting. If I had, would it really have influenced your confidence in the credibility of the message or me? - j 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Christopher Baker 18 Nov 94 20:01:16 Subject: Re: PGP UpdReq =snip= AT> And, if that bill the gov't.'s talking about passes, would it be AT> illegal to use PGP? I mean, I use it once in a while to communicate AT> with my friends up north regarding stuff that I wouldn't exactly say AT> in public (teen AT> matters). CB> it would be more impossible to enforce than drug laws. and every bit as dangerous to our liberty. can you _imagine_ what new assaults upon our liberty they will dream up? amp <0003701548@mcimail.com> November 18, 1994 20:0 `~~~ PGPBLUE 2.5 ... I must be a saint. (Money is the root of all Evil) 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: David Mcintyre 17 Nov 94 14:07:26 Subject: PGP versions UpdReq DM> I always liked 2.3a. It worked fine, and had no bugs that I could DM> find. From what people have said, there should be no distrust over 2.6 DM> and up. People have had plenty of opportunity to grill over the source DM> code, and nobody's turned up any possible security holes. Who's qualified to do it? You need people who are good programmers and good cryptographers to really get a look at it. The problem is that I don't really know of many who I would trust. I'm sure the NSA has a lot of them but they aren't our friends. ... 80666 - microprocessor of the beast. 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: David Mcintyre 17 Nov 94 14:07:28 Subject: PGP versions UpdReq DM> Actually, it will. I don't pay the phone bill. :) 2.3a will take about 3 minutes at 205k at 14.4kbps with compression and error correction (v42bis, v32bis) coming out to about 1600 CPS. Well, if you want it, it's here at 1 613 547 6756, Black IC BBS. ... This sentance has threee errors. 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: David Chessler 17 Nov 94 14:08:30 Subject: Pgp abroad UpdReq DC> commercial use (which is cheap enough). Moreover, there is DC> no prohibition on IMPORTING secure encryption, so have the DC> foreign party buy an extra copy of whatever is commerically DC> available (probably triple DES), and send you the floppy. I didn't know you could import. OH well, I'm Canadian. I can do what I want. :) ... Math problems? Call 1-800-2x[3y+a]sin/(5x) 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Michael Johnson 17 Nov 94 14:29:48 Subject: Internet sites. UpdReq MJ> If possible I would like all versions commonly in use MJ> today, so I can try them all and offer them to be MJ> downloaded by users. Do you have version 2.3a? If not, you can get it from me. It's not an internet site. Sorry. If you really want 2.3a, 2.6ui and 2.6i, you can get them all from my BBS at 1 613 547 6756 in Kingston, Ontario, Canada. I wish I had access to Internet but I don't. ... The dinner's fighting and the kids are burning. 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Brian Giroux 17 Nov 94 14:33:50 Subject: Multiple Questions... UpdReq BG> What happens if I certify someone's key, and they turn out to be BG> someone who just certifies people's keys without checking them out? BG> Wouldn't I end up with keys that are marginally trusted, but really BG> can't be trusted at all? That's right. I almost started doing that but stopped when someone told me about that. Just don't sign the keys of people you don't really trust and don't trust them if they don't hold the same policy. BG> COMPLETES_NEEDED=2 BG> MARGINALS_NEEDED=4 BG> CERT_DEPTH=5 BG> Does this look overly cautious to anyone? I only use 1 complete. I use 2 marginals and my cert depth is 2. I think you're overly cautious on the 2 items but too open on the last. ... Famous Last Words: It's perfectly safe. Let me show you. 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Albert Tanone 17 Nov 94 14:37:52 Subject: Pgp UpdReq AT> I just saw a file floating around PGP 2.6 or such. Is this a true AT> release or is this a hack? It's a true release but it's not just from Zimmerman. It's made by him with MIT. I don't know if I'll use it. I'm using 2.3a. There's 2.6, 2.6ui and 2.6i and 2.6.1 and 2.6.2. There's a lot beyond 2.3a but I don't use them. I wonder about them. 2.3a was abandoned by legal force. Ones from MIT I don't trust because I don't like the idea that Phil may not have had much choice about what to do with the next PGP. Phil Zimmerman got into legal trouble after all for 2.3a and previous versions because of copyright violations and I'm still not sure what trouble he got into for PGP being exported outside of the USA. Ones not even made with Phil? I don't use them because I really mistrust them. I can use them for sig checking so I do that. I still don't want to trust more than 2.3a. 2.3a is good, works, and is trustworthy. All the others are simply too questionable due to the circumstances. AT> And, if that bill the gov't.'s talking about passes, would it be AT> illegal to use PGP? I mean, I use it once in a while to communicate It may be illegal to use PGP if that gov't bill passes--illegal in the USA. I hope it doesn't happen because then I'd have to use whatever legal version of whatever encryption when I visit. I live in Canada and would not stop using PGP. I would use PGP under legal encryption in the USA if I had to use something else. The hell with the law. AT> with my friends up north regarding stuff that I wouldn't exactly say in AT> public (teen matters). Well you could use it under other encryption if you had to. ... ebius tagline. This is a moebius tagline. This is a mo ... 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Michael Bauser 17 Nov 94 14:41:54 Subject: PGP versions UpdReq MB> YOU ARE BEING PARANOID. STOP THAT. I HATE PARANOIA. I LIKE IT. Paranoia is good for the soul. Paranoia keeps you alive. Non- paranoid people are fools. They are not cautious and are easily fooled. You don't know what you're putting down. You need to look into this some more. ... Never ask how much leg a Freudian slip covers. 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Shawn Mcmahon 17 Nov 94 14:44:56 Subject: PGP versions UpdReq SM> have access to RSA. So, they require us US citizens to use the SM> slowest widely-used implementation of RSA. Meanwhile, SM> everybody else in the entire world uses faster SM> implementations. In fact, according to Peter Gutmann, the SM> fastest implementation of RSA he's seen was written in SM> Moscow. :-) Then if that's what you know, stop telling me to stop using 2.3a. You even admit here that the MIT version isn't good enough. ... I had a handle on life until it broke. 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Marc Stuart 17 Nov 94 17:47:46 Subject: PGP embedded binaries UpdReq MS> Besides, we were discussing stegonography. What exactly was your MS> point? I don't know what stegonography is. My point is that embedding data into other data isn't all that hard. ... 9 out of 10 men who try Camels prefer women. 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Wes Landaker 17 Nov 94 17:47:48 Subject: legal PGP UpdReq WL> Do you have any reason, besides just that "a lot" of others WL> are using PGP 2.3a, This one is more than good enough. ... Jesus saves sinners and redeems them for valuable prizes! 201434369420143436942014343694201434369420143436942014343694718 From: Ian Lin Area: Public Key Encryption To: Joe Eversole 17 Nov 94 17:47:50 Subject: legal PGP UpdReq -----BEGIN PGP SIGNED MESSAGE----- JE> Excuse me, but what's the point in encryping a public message? Maybe netmail isn't available to that person. It's not available to a lot of people. ___--BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLsaD+PHeH6k/x9gdAQHm3gP8DMMFoQ6g/W1yzYBXc0WBXEC+N6mWABex JtEOYUEbc/6r7OtMDhmcQdaltkGGuc5KlyHeF4ggSrXcIR4e1bSQ7Y1k28sJsU62 VbPOMOWXIty35+ybAKzBNerIQCvHcS2GTsCjE8NLXA7zvhSPywmiA9T0cC2kFihM 2CqKMetUijQ= =KrXD ___--END PGP SIGNATURE----- ... If code was meant to be portable it would have wheels and a handle. 201434369420143436942014343694201434369420143436942014343694718 From: John Schofield Area: Public Key Encryption To: Marshall Votta 20 Nov 94 09:56:16 Subject: Status of Clipper UpdReq -----BEGIN PGP SIGNED MESSAGE----- --====-- JG> Does anybody know the current status of the Clipper chip? The last I hear JG> was that the Clinton administration supports it. MV> Clipper was, in and of itself, defeated as a proposal. It managed to MV> stir activity in the otherwise computer-idle minds of political MV> amerikka, so do not expect to sleep soundly just yet. Clipper is nowhere near dead. They're still pushing it for voice telephones--just not for computers or faxes. John -----BEGIN PGP SIGNATURE----- Version: 2.7 Comment: Call 818-345-8640 voice for info on Keep Out magazine. iQCVAwUBLs+JlGj9fvT+ukJdAQFQtwQAnW/6KNLMx02FA/V9OIavzMIx9WsRMSfo IxivAR7ZQWhsruChSZVWqaaZBdZCWvNk427gTFXR6eeaT2QSpY+QVCVfTXNhQB9T K45CeJ0fEcBu4XeoKWJH6BrTnqc7ACcpuHmIxSGuXpJxuOlzAW9mnRGN1MfaEdyC pCEultXInmc= =NqPu -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... A day without sunshine is like night. 201434369420143436942014343694201434369420143436942014343694718 From: John Schofield Area: Public Key Encryption To: Jim Gillispie 20 Nov 94 09:56:18 Subject: Lawyer 1/4 UpdReq -----BEGIN PGP SIGNED MESSAGE----- --====-- JG> Hmm. Well yeah I suppose that's correct if they got your key second JG> hand (i.e. from a source other than PKEY_DROP) so here's another JG> option: Put a comment block in with your key. This will be plain text JG> like the VERSION: line and I 'think' that it shows on Public Key JG> Blocks. If it in fact does no one could delete this line(s) without JG> invalidating the key. Not really. PGP does almost no checking on the contents of a comment block, and this is NOT part of the signed text. See the recent problems with the clearsigning bug for more information. PGP just ignores headers. John -----BEGIN PGP SIGNATURE----- Version: 2.7 Comment: Call 818-345-8640 voice for info on Keep Out magazine. iQCVAwUBLs+Me2j9fvT+ukJdAQEBcQQAuMTGKuyU85q2HFjpHBytMQK+/sPs7H0+ B4ag3f7MQAFaHr5JqfAs+3EK7RYbFTXzkyFNMnIz/e9pCmpWSGRJ6J9rlFHeTHCh 6vXx52LU5Uv8UFBrCDfYbv5BgrdvRTghqa+2kaSmjrpo7sGYAi3VLAIbWmqdic4C OZ8bLlGx32s= =/FAP -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... Booze and math don't mix. Don't drink and derive. 201434369420143436942014343694201434369420143436942014343694718 From: John Nieder Area: Public Key Encryption To: Christopher Baker 20 Nov 94 01:40:00 Subject: SecureMail GUUCP Gate? UpdReq Another post for a FidoFriend: ========================================================================== Is there a SecureMail GUUCP gate? 1:1/31 has been processing PGPed messages to the Internet, but a review of the rules says that encrypted traffic is prohibited there. Of all the three GUUCP gates having a rules files that I've seen, all say that no encrypted messages are permitted. There are a couple of dozen Fidonet GUUCP sites, so it seems likely that there's at least one that will gate PGPed traffic. Can anyone help me out here? ========================================================================== ... Government: A dangerous servant and a fearful master - G. Washington ___ Blue Wave/QWK v2.12 201434369420143436942014343694201434369420143436942014343694718 From: David Chessler Area: Public Key Encryption To: Shawn Mcmahon 19 Nov 94 00:03:00 Subject: Pgp abroad UpdReq On 11-16-94 (10:04), Shawn Mcmahon, in a message to David Chessler about "PGP ABROAD", stated the following: SM> DC> commercial use (which is cheap enough). Moreover, there is no > DC> prohibition on IMPORTING secure encryption, so have the foreign > DC> party buy an extra copy of whatever is commerically available > DC> (probably triple DES), and send you the floppy. SM>Even better would be a foreign implementation of MDC/SHS. That'd REALLY >make the government prohibitions look stupid. Peter Gutmann is a New Zealander. SFS uses MDC/SHS. SM>What'd I'd like is a really good implementation of MDC/SHS written by a >Libyan, Iraqui, or Red Chinese author. You got something against Cubans, Iranians and North Koreans? New Zealand does not permit our nuclear-armed naval vessels to use its ports. ___ __ chessler@trinitydc.edu d_)--/d chessler@cap.gwu.edu * SLMR 2.1b * E-mail: ->132 1:109/459 david.chessler@neteast.com 201434369420143436942014343694201434369420143436942014343694718 From: Basil Hoyl Area: Public Key Encryption To: Jason Carr 20 Nov 94 21:18:02 Subject: Lawyer 3/4 UpdReq Well, I guess I have been found out. When a board allows the use of "handles" I am generally known as "Lawyer" because that gives most people some frame of reference and those who don't even know me yet can already dislike me. :) 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Basil Hoyl 21 Nov 94 11:33:20 Subject: Lawyer 2/4 UpdReq Despite the stern warnings of the tribal elders, Basil Hoyl said this to All: BH> If others follow my suggestion that public keys contain in the BH> ID field more information than bare name and address, but BH> actually identify the complete person whose key it is, then BH> while some will always consider it to be bad taste, it might BH> become acceptable to the community at large Basil, name and address is surely enough identification to show who someone is, without fail. When you send somebody a snailmail letter, you don't write intimate details about their life on the cover of the envelope, to help the postman determine *WHICH* Basil Hoyl at that address gets the letter, do you? If you're wanting a comment field added to the keys, then by all means ask Phil to add a comment field at some future date. For now, all that's necessary is an unambiguous method of determining which Basil Hoyl should get the message, out of a KEYRING. Not out of the world. After all, nobody scans their PGP keyring for lawyers when they need one, any more than they'd scan it for doctors or building contractors. And they darn sure don't read your snailmail address and wonder "darn, what if there are 16 people named Basil Hoyl at that address? I really need to know where he graduated law school." If a customer needs to contact you with encrypted information, he can easily call you and ask for your key. Doing so doesn't open him up to any observer, because when he sends you the encrypted mail it'll be full of footprints as to who sent it anyway. Advertising doesn't belong in the PGP key. That's an ID field, and there's nothing that serves as an identification more than a name followed by an address. Anybody that needs your services as an attorney will have located you through conventional means, NOT through their PGP keyring. After all, why would anybody even bother with your key unless they already wanted to contact you? If you put enough keys for people you don't contact into your keyring, you'll see exactly what I mean here, as it begins to take several minutes to go through your key every time you try to use PGP. If they've located you through conventional means, and for some bizarre reason they don't think your address is unambiguous enough, they can call you (or your secretary, perhaps) and check the keyID. PGP keys aren't supposed to take up 1k apiece, and PGP keyrings aren't supposed to contain every key one has ever encountered. The keys are supposed to be as small as is practical, and the keyrings are supposed to contain the keys of people you regularly contact. That's how the program is designed to work, and anything outside that range causes minor inefficiencies to bloom out of control. My pubring is over 80k; if everybody in it made keys as large as your old one, it'd be over a meg. That's a hell of a difference, don't you think? Basil, please take this message in the spirit in which it is intended; honest discussion regarding something about which we disagree. I bear you no ill will. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: John Schofield 21 Nov 94 14:14:06 Subject: PKZIP security UpdReq Despite the stern warnings of the tribal elders, John Schofield said this to Jim Cannell: JS> PKZCRACK.ZIP 47613 12-Oct-94 That was a different one than the one I had, so I FREQed it. First off, it's twice as large as it needs to be, because contained inside the archive is a second archive called "PKFIXED.ZIP" which contains the same files. Looks like somebody forgot to clean up after PKZIPFIX. :-) Inside are two executables; ZIPCRACK, and CRACK. I used PKZIP 2.04g to make a test archive, containing the ZIPCRACK.DOC file, encrypted with the password "aaa". I first attempted to use CRACK, set for a password length of 3 and default options, meaning it could check lowercase, uppercase, and digits. It informed me that ZIPCRACK.DOC was compressed with "an unknown mode." I was not impressed, since the program purports to be from 1994. Then I tried ZIPCRACK.EXE. First, I tried it with lowercase only, maximum and minimum password length set for 3 characters. In a few seconds, it reported it couldn't find the password. Then I set it for lower and upper, minimum 3 and maximum 4. After a few minutes, it crashed out to DOS with an error message. I'd give CRACK an F-, and ZIPCRACK an F. I do not have an old PKZIP around to check either program with obsolete methods; I only use Info-ZIP for my antique ZIP needs. 201434369420143436942014343694201434369420143436942014343694718 From: Jim Bell Area: Public Key Encryption To: JOHN GOERZEN 21 Nov 94 00:01:00 Subject: Status of Clipper UpdReq -=> Quoting John Goerzen@1:291/51 to All <=- JG> Does anybody know the current status of the Clipper chip? The last I JG> heard was that the Clinton administration supports it. That is, more or less, the current position. If you oppose Clipper, as the vast majority of those who've heard about it do, I recommend that you contact your Senators and Representative (this is doubly important if they are Republicans: Make sure they're aware that Clipper was first publicized under Clinton) and make sure they're aware of your absolute opposition to it. The reason it's so important to contact Congress is that it doesn't appear that Clinton will get "his way" on anything over the next two years. If the Republicans realize the massive public opposition to Clipper, they have yet another motivation to portray it as just another of Clinton's mistakes. Once that happens it'll be curtains on Clipper for at least two years, and probably forever. ... The rest of this tagline is encryp*&l#1E0+=|>fcd}85^7@jowxz*7"[=- ___ Blue Wave/QWK v2.12 201434369420143436942014343694201434369420143436942014343694718 From: Jim Cannell Area: Public Key Encryption To: John Schofield 20 Nov 94 19:00:24 Subject: PKZIP security UpdReq -----BEGIN PGP SIGNED MESSAGE----- In a msg on , John Schofield of 1:102/903 writes: JS> PKZCRACK.ZIP 47613 12-Oct-94 JS> Password guesser to recover PKZipped files where the JS> password has been lost. Configurable for character JS> set to be used and length of password. JS> Should be FREQable. I haven't used it. Got it. I'll try it out and let you know how it works. Jim - International SecureMail Host (ISMH) PGP key 1024/B7822B3D fingerprint = 0F F4 79 06 3B 33 99 D1 07 36 66 66 80 85 76 B3 Protect your right to privacy. Say no to GAK. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtAPBCWTIMO3gis9AQFeQgP/S1cDajNtTgAUzZ7GVMnJcnuOyN4oxcXP 0/dd3XynQxjAt3lxOX5fQxqyreuYf1C1q+MyDgC7U3LyHrAPddwvFBNbUAvoDNQt WcvrFbuYs8W0qLwcPGpwoQjtUeYQ+f6b7kXTcC/n7gSyLhtNXEITYXNIbukY0NPd IiefLxapq2E= =qNtt -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Scott Mills Area: Public Key Encryption To: Frank Hicinbothem 20 Nov 94 20:29:18 Subject: PKZIP security Pvt UpdReq Saturday November 19 1994, Frank Hicinbothem writes to Scott Mills: FH> I attempted to do so about forty-five minutes ago. Instead of the file, I FH> got one called ABOUT.DOC, which reads: Hopefully that is fixed now. I installed a new OS and repartitioned my drives this weekend. Some of my paths are still not set to what they should be. Scott Clinton: The Bill of Wrongs. Scott Mills 1024/26CD5D03 For my PGP key freq PGPKEY sm@f119.n265.z1.fidonet.org --- 201434369420143436942014343694201434369420143436942014343694718 From: C.John Zammit Area: Public Key Encryption To: All 18 Nov 94 22:04:44 Subject: Encryption UpdReq Hi, I'm new to this conference and would like to have someone respond. Sometime ago I wrote a program to encrypt messages, one at a time. The program generates a key for each message and each character of the message has its own code. To my mind, it's virtually impossible to decipher a message encrypted with this program; I would like to meet with an expert who can test the validity of what I think the program can do. Would appreciate all replies. 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: Wes Landaker 21 Nov 94 17:12:48 Subject: Re: PGP 2.6.2 OS/2 compile? UpdReq -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 19 Nov 94, Wes Landaker was quoted as saying: WL> Is there an OS/2 compile of PGP 2.6.2 out yet? =) If it's already WL> been mentioned in here, I must have missed it completely. MIT has had it for over a month. they are still sitting on it and Phil is out of the country. [sigh] TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP 2.6.2 is LEGAL in Zone 1! So USE it! [grin] iQCVAwUBLtEbY8sQPBL4miT5AQETVQP7BOGfbujT659eVCB/TRldj/Hdc6Vp1WUC 3QsKn0XQodBDkNTvbmJMzyfFm2tsBvIybTDO8+eqrc8dnvwygshqqsh3VnNvJD9a pFvUi6bEm/Zq7eP3sohajlmxrXHF312J4VCRkWWJ1AKD7Q44IbGsqeSrC5pYMTE9 8e4xouPs9M8= =ZFK9 -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: John Nieder 21 Nov 94 17:18:36 Subject: Re: SecureMail GUUCP Gate? UpdReq -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 20 Nov 94, John Nieder was quoted as saying: JN> Is there a SecureMail GUUCP gate? 1:1/31 has been processing PGPed JN> messages to the Internet, but a review of the rules says that JN> encrypted traffic is prohibited there. Of all the three GUUCP gates we have no direct Guucp Node in the SMH system. i have never had any mail refused or returned from 1:1/31 which is my sole routing point into the Internet. TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP 2.6.2 is LEGAL in Zone 1! So USE it! [grin] iQCVAwUBLtEcwMsQPBL4miT5AQH7agP/X6lRFUQG7cfCGFNKKp613t+iRPoaVz4s uE0kOaJnp1IysTOVgo9t7Mm7f0g4he24oGdQo67IuUmohEfkf8jOHsv9KxtGhw3r +XQHnR+LWwHQ/k+QYRRIz9EcpETMpHIoeKf+mFRLQmrndJdrgFerXWXfNL3C3Ahp O4Fb1nFO+Cc= =D7DZ -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Brian Giroux Area: Public Key Encryption To: Mark Carter 21 Nov 94 22:01:00 Subject: GETTING KEYS FROM SERVERS UpdReq MARK CARTER pounded out random words to BRIAN GIROUX, and it looked something like this: BG> Is there a way to get keys from a key server through FidoNet? MC>Sure, just send through the 1:1/31 gateway. Could you explain the steps to take? I'm InterNet illiterate :( I have sent "private" net mail to an InterNet address through 1:1/31 but that's about all. Brian Giroux PGP public key available * 1st 1.11 #1757 * You can't have everything...where would you put it?? 201434369420143436942014343694201434369420143436942014343694718 From: Brian Giroux Area: Public Key Encryption To: Shawn Mcmahon 21 Nov 94 22:12:00 Subject: TRUST UpdReq SHAWN MCMAHON pounded out random words to BRIAN GIROUX, and it looked something like this: SM>Then you change his trust parameters on your keychain, to show that you don't >trust him to act as an introducer. Signing someone's key mostly indicates that I think I'll have to re-RTFM. A while back I came across a switch that listed all the key on my keychain, and there were two columns with "untrusted" in them. That always puzzled me, but now it's beginning to make sense. One column to say if the key is trusted to be authentic, and one column to indicate if the owner of the key is trusted as an introducer. BTW, does anyone know which switch that was that I used? I can't seem to reproduce that list. Brian Giroux PGP public key available * 1st 1.11 #1757 * The only way to have a friend is to be one!! 201434369420143436942014343694201434369420143436942014343694718 From: Glen Todd Area: Public Key Encryption To: John Mudge 21 Nov 94 09:38:00 Subject: Re: PGP and GoldEd UpdReq -----BEGIN PGP SIGNED MESSAGE----- * Reply to msg originally in Sysop personal mail John Mudge mumbled indistinctly to Glen Todd something about PGP and GoldEd --- JM> * Forwarded from area 'PUBLIC_KEYS' JM> I am not sure if I understand your dilemma exactly, but if you are JM> trying to get "John Mudge" from your batch file to a text file, use: JM> ECHO John Mudge >> pgp.tmp Solved the problem -- thanks. //Glen -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtC+1Ju+M/xchk8pAQEwLwP+Lrv78wAYgsc0P3goBIcXTcTyu3b0uk1X rsZ1S5GnFL2+fg1SdRGhi6uDG35UuuStItd4dsxFCmEnYrOGlGaLZdiSz/Dq+adz ToR3L8qQBrw6u/Izn3lJgGGQVuQ3TzRHoWwS2LRExJdwsaFRqIUv2wb4tfroS6ih o4R1q3HS1M0= =bFp5 -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 ... Security, confine Ensign Mudge to the brig. 201434369420143436942014343694201434369420143436942014343694718 From: Basil Hoyl Area: Public Key Encryption To: Jim Gillispie 21 Nov 94 12:46:48 Subject: Re: Lawyer 1/4 UpdReq -=> Quoting Jim Gillispie to Basil Hoyl <=- JG> Did the above come accross this way or is it the result of your JG> edits? Just curious if I need to check my mail software. I was editing for brevity and tried to use "..." where text was deleted. I did goof with a "," and a "." when I was moving text to format it for upload. Now, I have the super-new-improved OLR which should avoid these types of problems in the future. I tried to remain faithful to the original message and only include the text to which I was making reply. JG>> I really don't care _who_ you say you are on a PGP JG>> level. If I want to know _who_ you are, I'll initiate a JG>> _conversation_ with you to investigate just that. As for BH> The problem with initiating a conversation to determine who BH> a person is centers on the anonymity of pgp keys and BH> communication. JG> I'm not sure where you're going with the anonymity issue here. Could JG> you expound a bit? How would you know to initiate a conversation with me to determine if I am who I say I am if you did not know that I MIGHT have special knowledge which could be of use to you and which might be of a sensitive nature? If you wish to send secure, very secret communications, you would probably not have any real name or identity in the ID field, and the fact that there was a secret message would be hidden by disguising the file as a gif file or other method of hiding the fact of communication. For instance, if a fellow's girlfriend's husband found out that his wife and the fellow were having secret communications (pun intended), it would be worse than if the husband merely thought the fellow sent a picture of apples and oranges, and it would be worse than if the husband thought the wife simply had pictures of apples and oranges, and it would be worse than if the husband thought the wife was sending secret communications to "Mr. Bill." It MIGHT not be as bad as if the husband actually intercepted and read the communication. We typically do not have that level of privacy in PGP. We add e-mail addresses and other information to identify ourselves, but that is still not very much. If you look over the echo, you will find several keys from various people, but what do you really know about them, and what do you think you know? This is what I mean by anonymity. If my frame of reference for Jim Gillispie is only "Jim Gillispie" and an address, then you have some degree of anonymity. If I also know you are a programmer/analyst then your public key becomes more useful. If I know that you work in the area of video photographic enhancement, etc, and you have testified previously as an expert, then I might have a reason to send you secret messages should I ever have need of someone to examine video to see if it has been modified. Without that type of detail, you might just as well be named John Doe. (BTW, what do you do in the field of programming?) If we drop for the moment the idea of whether or not they are being honest, and focus on what they say about themselves, we still know very little. My proposal was to have the id field state more than the fact that "I am" and "my name is JOE" and "write to me at " since I still have no great frame of reference for Joe. I would rather see Joe identified as Joe Smith 123 anystreet, Anytown, NY zippp (123) 456-7890, and a few key words which could be searched. Examples of the types of key words I would like to see would be: investigator reporter New York Times Newspaper Publisher Media, etc... and then I would guess that if I sent a private message to Joe, I could read about it in the morning :) At least I would have a starting point for further investigation. If I wanted to inform the media of a certain event and Joe was on my public key, I would be able to check the trust parameters, or perhaps use other methods of investigation, but I would have a starting point. It has been suggested that when contacting an orgainzation, it is possible to question the people there to obtain their public keys. From that point, you already have the organization. If you are looking for particular information or information on a particular topic, I think a good starting place may be the public keys of the people with whom you come in contact. As for other key words that might be of use: how about French or Spanish or German or C++ program or skip tracer or Federal Agent or florist or flowers or ticket scalper (legal some places, not legal other places) or broker or stock or land or notary or key certify or telecommunications or banker or .... Sure, you could look in the yellow pages or other method of locating the person and probably have good success. This is merely another method of doing this, and if you include an address and telephone number, it is probably as secure as the yellow pages to determine if the person is who they they say they are, and more secure if you have the key certified by trusted authorities. Further, you already have the pulbic key and address and can chat with general information, including methods by which the initiating party may verify the identity and expertise of the party with the public key. JG> Each separate part of a key-ring is stored in a 'packet'. There are JG> tons of them in a typical key; for instance: key-id, user-id, JG> timestamp, public-key, signature, message digest, compressed data, JG> literal data, comment, secret-key, public key certificate, keyring JG> trust. PGP has to 'digest' all of these when working with a given JG> keyring. Some of them may contain one or more of the other packets. JG> Such as a public key; it contains the key-id, user-id, timestamp, JG> message digest, literal data, comment, and one or more signatures. So, JG> as you can see, the CPU resources needed to digest a key can increase JG> exponentially as you increase the size of your key. Will a signature which certifies your public key also cause these delays? It would seem so from this information. JG> The purpose of PGP as I see it is not to conduct blind communications JG> via secure channels, it is to provide secure communications with JG> individuals whom you infact know and/or trust when face time is not JG> available or appropriate. PGP can be used as a tool to locate people via the ID field. Whether or not they can be trusted and to what extent they may be trusted is another matter. ... Penny U 214.650.0382 PGP Echo 201434369420143436942014343694201434369420143436942014343694718 From: Basil Hoyl Area: Public Key Encryption To: Jim Gillispie 21 Nov 94 13:47:48 Subject: Re: Lawyer 2/4 UpdReq -=> Quoting Jim Gillispie to Basil Hoyl <=- BH> how much information is enough or too much is to give some BH> thought to the size of an ascii pgp public key file. Mine was BH> about 1700. (now down to less than 800) This also goes to (now much less than that) JG> such I know that I pay a performance price in working with it. The JG> thing that blew me away with your key was that: when I added it I had JG> only about ten people on my key and it took my machine about 5 seconds JG> to read in my key-ring, after adding your key the time jumped up to JG> around 30+ seconds ( I actually had to hit the Caps Lock key to verify JG> Say I'm involved in the JG> organization of public militias (something our Gov't here in the JG> states don't want). Why in gods name would I put that in my public JG> key and then post it on a public conference? Uh, excuse me here but I JG> just violated my own personal anonymity didn't I? I post my key so JG> that people who wish to send me _private_ and _secure_ mail may do so, JG> period. What possible reason would I have to send Bill Clinton PGP JG> encrypted mail (other than to piss him off )? Well, if you had some really good dirt on Newt G., you might want to let Clinton know, but you might have qualms about letting everyone know from whence it came (especially if you were on Newt's staff, etc...) If you want private and secure messages, you MUST use a false name and access messages in such a manner as to maintain anonymity. Otherwise, you are subject to traffic analysis and the danger that the individual on the other end of the message will reveal your true identity and messages. For most of my messages, I allow people to know who I am and try to give them sufficient information for them to know a little about me. If they wish to send secure messages, then they can do so. If they wish to be sure that I am who I say I am, there is plenty of information to enable them to do so with reasonable certainty. BH> I would be happy to discuss topics relating to law BH> with individuals in Russia or South Africa, and they might not BH> wish their communications to be publicly read! JG> If you were in such a situation, would you really initiate or JG> participate in a conversation with someone you haven't actually met JG> and knew, on a subject that could possibly put you in jeopardy? I JG> certainly would not. Well, I have discussed such matters with Soviets in face to face settings in the US, and since it is not too difficult to verify that I am who I say I am, I think that they would be able to communicate. If something you say is going to get you killed, of course you might wish not to speak at all. However, with the use of anonymous public keys and large bulletin boards, one in that type of position could view my public key and inquire about me if they needed additional assurances. They could e-mail me with instructions about how to contact them (I could place a stego encrypted pgp gif file with their anonymous public key [john doe in the id field] for ftp or freq) They would never have to be associated with the files other than downloading the gif which has secrecy and some measure of deniability. The danger to them is in examination of their equipment or interception of the fact that THAT INDIVIDUAL sent encrypted traffic to me on the first communication. (further communications could be made via freq or ftp of .gif or .wav or other similar methods) Since my public key does not state from whom traffic is sent when the message is sent encrypted by my public key, the danger is limited to identification of the poster by other methods such as; checking that the individual who leaves the e-mail is the person they state they are and tracing of the communication to a real individual. This assumes that PGP and IDEA are secure and will remain secure for some period of time. JG> Let's say I have a particular interest in exterminating lawyers and JG> attorneys because I just got cleaned out in a bitter divorce JG> settlement. Do you want me to have this easy of access to your name JG> and location? From the info you provided it would take very little JG> effort on my part to hunt you down like a crippled deer. Not a JG> situation I'd want to be in. Granted that's an extreme, but we _are_ JG> talking about privacy here. Get in line. I have been hunted before by armed and dangerous bitter divorcees and I am still here. I am not hard to find under any circumstances. BTW, as a lawyer who has been in that situation, I will state that I am rather heavily armed. (not a crippled deer, but a grisly bear - hunt me and I hunt back :) JG> None of which is the intended purpose of Public-Key Encryption. The JG> purpose (and this is only my opinion based upon my interpretations of JG> Phil's writings) is to provide a means of 'sealing your e-mail JG> envelope'. A very good tool for that it is. I think it can be more. BH> PGP is what we make of it. It is written to allow several ID BH> fields to fully identify the person whose key is listed. I chose BH> ... The only reason you should have a ring of that BH> nature is if the individual keys so fully identify the person BH> that you know their name, how trusted the key is, how to contact BH> them, and why you might wish to contact them (their expertise, BH> etc...) Without all these things, what use is such a public key BH> ring? JG> I think you may be confusing the definition of 'public' in this JG> context. Public here means that it is a means for anyone wishing to JG> initiate private conversation with you may use this key so that _only_ JG> you may read the contents of the message by using your secret key to JG> decrypt it. It's not meant to be a directory service like the JG> white/yellow pages. Again, why would anyone wish to contact me if all they know about me is my name? A mere name @somewhere.USA is practically anonymous. By that I do not mean that the individual may not be located. I simply mean that with more information about a person on their public key, it is easier to determine whether I would wish to initiate private communications with that person. ... or heck, just call me! 201434369420143436942014343694201434369420143436942014343694718 From: Basil Hoyl Area: Public Key Encryption To: Jim Gillispie 21 Nov 94 14:02:16 Subject: Re: Lawyer 3/4 UpdReq -=> Quoting Jim Gillispie to Basil Hoyl <=- JG> p.s. Note that I didn't even PGP-sign this posting. If I had, would JG> it really have influenced your confidence in the credibility of the JG> message or me? - j No, and I didn't sign mine, either. If I had something to say which was sensitive, it would be more secure. If you desired to know who I am, there should be enough information, even in my new, reissued and redacted key to determine everything but my blood type by anyone who knows how to look. If I had truly secret and secure information to send, it would likely be with a different "anonymous" public key and stegographically hidden. However for merely secure communications, I have no problem with allowing my true identity (superman) to be known. ps. I might try signing when I get the automatic signing program working with the olr. ... Penny U 214.650.0382 1:124/3208 201434369420143436942014343694201434369420143436942014343694718 From: Jason Carr Area: Public Key Encryption To: Basil Hoyl 21 Nov 94 21:48:56 Subject: Re: Lawyer 3/4 UpdReq y -=> Quoting Basil Hoyl to Jason Carr <=- BH> Well, I guess I have been found out. When a board allows the use of BH> "handles" I am generally known as "Lawyer" because that gives most BH> people some frame of reference and those who don't even know me yet BH> can already dislike me. :) :) Heh heh. That's not really what I was driving at, though. I was wondering about the nature of an AKA, the nature of a User ID, the nature of naming and advertising. I think there's a sizeable gray area. CypherZen. :P jc 201434369420143436942014343694201434369420143436942014343694718 From: Jason Carr Area: Public Key Encryption To: John Mudge 21 Nov 94 22:14:32 Subject: Re: PKZIP Crack UpdReq -----BEGIN PGP SIGNED MESSAGE----- -=> Quoting John Mudge to Jim Cannell <=- JM> After I left a message about ZIPHACK.ZIP, I freqed a copy of JM> PKZCRACK.ZIP from Scott Mills. His archive contains both CRACK.EXE ... JM> due to these discrepancies. CAREFULLY scan them for viruses, etc. I JM> have not unarchived either one and have not tried using them. JM> I cannot vouch for either and do suspect tampering. My AV routine unpacked Scott's archive and both SCAN and F-PROT said the coast was clear. I messed around with CRACK and it schiz'ed out (didn't recognize PK2.?? maybe?). I gave a test archive a one-letter pass and pkzcrack couldn't figger it out. :( There are a coupla names in the nodelist similar to the stated name in the PKZCRACK internal documentation; I'll drop 'em some netmail and see if that's the author. jc -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP_ECHO: CypherEcho to the gods... iQCVAwUBLtFTokjhGzlN9lCZAQFlqwQAmxWWBw8TXTEjvSDItdILTg3sgb8cHHbO +KcYG7nWZjyIzd3AXUfvA0kN7btNuGXB13kHR+ijo/CKpXDTULz5jme2n1EyyLRK MhvCn4sloTdwMgn3xfm4g9S60MBx436WxLz/KPAOsbHw1izeyM0wIGvV4/N3Y3pA HZVoRlLqMZ4= =ZjxC -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Ian Lin 22 Nov 94 11:40:52 Subject: PGP versions UpdReq Despite the stern warnings of the tribal elders, Ian Lin said this to Shawn Mcmahon: IL> You even admit here that the MIT version isn't good enough. No, Ian, I did no such thing. In fact, the MIT version fixes some annoying bugs, and the MIT versions all have the virtue that Phil can DIRECTLY contribute to them again. Unlike 2.3a, which was done by others "under Phil's guidance." But, Ian, you go right ahead using that buggy old version; the rest of the world will keep progressing right on past you. You won't be able to read the stuff we write, or check our signatures, but that won't inconvenience *US*; just you. While you're at it, though, please stop putting words in my mouth. I'm quite capable of doing that myself. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Ian Lin 22 Nov 94 11:41:58 Subject: legal PGP UpdReq Despite the stern warnings of the tribal elders, Ian Lin said this to Joe Eversole: JE>> Excuse me, but what's the point in encryping a public message? IL> Maybe netmail isn't available to that person. It's not available IL> to a lot of people. That doesn't entitle him to force the rest of us to pay to import his private messages in the echo, Ian. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: David Chessler 22 Nov 94 11:47:24 Subject: Pgp abroad UpdReq Despite the stern warnings of the tribal elders, David Chessler said this to Shawn Mcmahon: DC> Peter Gutmann is a New Zealander. SFS uses MDC/SHS. I know that; I meant a foreign implementation written as a toolkit for others. An OS/2 DLL would be perfect. SM>>What'd I'd like is a really good implementation of MDC/SHS written by a >>Libyan, Iraqui, or Red Chinese author. DC> You got something against Cubans, Iranians and North Koreans? Those'd be good, too. New Zealand may act like petty children regarding our nuclear wessels , but it'd be better if the encryption library was done by one of our ENEMIES. I mean, imagine trying to convince a jury that a man should be sent to jail for attempting to export a program to, say, England, just because it contains encryption code written in Libya. Were I rich, I'd move there myself, write it, and come back. 201434369420143436942014343694201434369420143436942014343694718 From: Mike Riddle Area: Public Key Encryption To: Marshall Votta 21 Nov 94 06:17:56 Subject: Re: Status of Clipper UpdReq In a message to John Goerzen on Nov 17 94 at 22:06, Marshall Votta wrote: JG>> Does anybody know the current status of the Clipper chip? JG>> The last I heard was that the Clinton administration JG>> supports it. MV> Clipper was, in and of itself, defeated as a proposal. It MV> managed to stir activity in the otherwise computer-idle MV> minds of political amerikka, so do not expect to sleep MV> soundly just yet. I think you're wrong. While Clipper has not yet received the new Congress' "Good Housekeeping Seal of Approval," the administration has gone ahead with the procurement of thousands of Clipper-equipped 'secure' telephone units for use by federal and perhaps state agencies. They are hoping to establish Clipper by virtue of the federal purchasing power. And of course, the digital telephony act contains language which some LEOs will probably interpret as saying Clipper was approved through the back door, even though that didn't happen quite yet. 201434369420143436942014343694201434369420143436942014343694718 From: Michael Bauser Area: Public Key Encryption To: Ian Lin 22 Nov 94 15:35:24 Subject: PGP versions UpdReq -----BEGIN PGP SIGNED MESSAGE----- Who: Ian Lin What: PGP versions When: 17 Nov 94 14:41:54 MB> YOU ARE BEING PARANOID. STOP THAT. I HATE PARANOIA. IL> I LIKE IT. Paranoia is good for the soul. Paranoia keeps you alive. IL> Non- paranoid people are fools. They are not cautious and are easily IL> fooled. You don't know what you're putting down. You need to look into IL> this some more. Blah, blah, blah, blah. There's a difference between paranoid and cautious. I know how to be cautious. I understand my security systems backwards and forwards, I know my options, I've read the manuals for programs I don't use, and I keep up to date with the EFF, the NCSA, EPIC, and a half dozen smaller security groups. More importantly, I know people who I can trust a lot more than some self-important little pinhead who systematically mistates the truth and has no apparent grasp of reality. Your irrational fear of the Massachusetts Institute of Technology is becoming repetitious and tiresome. Don't you have anything else to talk about? Go away. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: The legal_kludge is dead! Upgrade, already! iQCVAwUBLtJVKMRHZFQbZSuZAQEudgP/W7bj45QaMN/FMBpGVlhgFAcmAgfbDnFo kxutyft6XymupbEjKYOTzI/+5mEZTlrvEAbWTcwrwPUrxITE9lD34zmoDg3cYsDK FMX87Z1bMNtLuKu0gDeomcov5LIu2KHeQSBqpkC+ovh+X4wTQXJVAwvPdA+bffZA rcaaHBGRau8= =rXA1 -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... Even paranoids have enemies. 201434369420143436942014343694201434369420143436942014343694718 From: Michael Bauser Area: Public Key Encryption To: Ian Lin 22 Nov 94 15:53:24 Subject: Pgp UpdReq -----BEGIN PGP SIGNED MESSAGE----- Who: Ian Lin What: Pgp When: 17 Nov 94 14:37:52 Here we go again.... AT> I just saw a file floating around PGP 2.6 or such. Is this a true AT> release or is this a hack? IL> It's a true release but it's not just from Zimmerman. It's made by him ONE MORE TIME, PGP 2.3a isn't "just from Zimmerman", either. After getting in trouble over PGP 1.0, Phil turned over *all* the actual coding to programmers in other countries, so that he couldn't be charged with exporting PGP 2.0 (and up). For versions 2.0 through 2.3a, all he did was coordinate the project--essentially, he specified the file formats, command syntax, then wrote the manual. He did *none* of the actual programming. The ViaCrypt and the MIT versions, though, he's able to do actual programming for. So, in that respect, they're more "from him" than the version you think is "from him" really is. This is all covered in the PGP manuals, and repeated constantly in places like _Wired_. It's obvious you can type, so why can't you read? IL> with MIT. I don't know if I'll use it. I'm using 2.3a. There's 2.6, IL> 2.6ui and 2.6i and 2.6.1 and 2.6.2. There's a lot beyond 2.3a but I IL> don't use them. I wonder about them. 2.3a was abandoned by legal force. IL> Ones from MIT I don't trust because I don't like the idea that Phil may IL> not have had much choice about what to do with the next PGP. Phil PRZ has the copyright on PGP. Nobody gets to do anything with it unless he lets them. IL> Zimmerman got into legal trouble after all for 2.3a and previous Oddly enough, Zimmerman's never really been dragged into court over the claimed copyright violations--just threatend a lot. Some suspect that RSA and PKP are afraid they'd lose. IL> versions because of copyright violations and I'm still not sure what IL> trouble he got into for PGP being exported outside of the USA. Ones not He's still being investigated. And that's only for PGP 1.0 IL> even made with Phil? I don't use them because I really mistrust them. I Once again, Phil worked on the MIT versions more than he did 2.3a . Learn to read. IL> can use them for sig checking so I do that. I still don't want to trust IL> more than 2.3a. 2.3a is good, works, and is trustworthy. All the others IL> are simply too questionable due to the circumstances. Ian, you appear to have no correct knowledge of this entire issue. Please stop trying to mislead other people. It's not very polite. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: The legal_kludge is dead! Upgrade, already! iQCVAwUBLtJZZMRHZFQbZSuZAQGFGgP/Yjsr1EPDB6CINuUijqyeQVGbDNMdL85W 9zuqFAn/ie9gIe1E6jDJB7DAmhi9m70W3qqAbY9wHVXLYMFg11a1lGfUcDUfv+72 sxxS5TkrjqRX9LswVUiocqkqPSteBYCz9epsGa/ba1zHLcmJpMZpUl9mdTdh+H8w RY9ZhqKHU8o= =YIUn -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... PSSST! Hey buddy! Change byte C287 from 08 to 06! Pass it on! 201434369420143436942014343694201434369420143436942014343694718 From: Michael Bauser Area: Public Key Encryption To: Ian Lin 22 Nov 94 15:59:56 Subject: PGP versions UpdReq -----BEGIN PGP SIGNED MESSAGE----- Who: Ian Lin What: PGP versions When: 17 Nov 94 14:44:56 IL> Then if that's what you know, stop telling me to stop using 2.3a. You IL> even admit here that the MIT version isn't good enough. He didn't say that. He said 2.3a has a faster RSA implementation than 2.6.2 . So what? PGP 2.6.2 has a faster IDEA implementation than 2.3a . PGP 2.6.2 comes out faster in benchmarks. IL> ... I had a handle on life until it broke. You don't say. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: The legal_kludge is dead! Upgrade, already! iQCVAwUBLtJa6cRHZFQbZSuZAQGbNQP7BjvrT1OYTD1AYtwUie21cXiWsF8BAYg1 pduGLbT5syahh2g0pnrJ46KLnS9VeZvyRAePBrcuEyWE7YwnhgzFJnlqDASvDYwl jpzN/HKDcTmQ3yvvSMAdU0TBSBCCP4RsfYRcrgWL2Kmg+YFavjXH3PgcCWZBwg9L jOxtVXSGrlQ= =7Ax9 -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... Cryptography: Better living through complex mathematics. 201434369420143436942014343694201434369420143436942014343694718 From: Michael Bauser Area: Public Key Encryption To: Basil Hoyl 22 Nov 94 16:31:24 Subject: Lawyer 1/4 UpdReq -----BEGIN PGP SIGNED MESSAGE----- Who: Basil Hoyl What: Lawyer 1/4 When: 16 Nov 94 14:50:46 BH> Gentlemen, I posted a public key which stated many BH> things about the type of work I do and the type of expertise I BH> have. I would like to address my concerns and have a bit BH> more discussion on the topic of what may ethically and BH> appropriately be placed into a public key. Basil, You've said elsewhere that you're new at a lot of this, so I'll try to be gentle. If anything comes across as harsh, it's only because I'm in a hurry (unless messages to Ian Lin, where I mean to be harsh). I think you've got to look at the bigger picture here. BH> Not all people will have the text file associated with the key. BH> Further, if they desire to search their key rings for "dog" or BH> "breeder" it would not disclose those with those special skills BH> or talents if it was simply in a text file. If the information is BH> included in the key, then a search of ID will disclose that BH> item. I think the id field should have some information more BH> than a simple address, perhaps three or four lines of BH> information, but your idea of sending a text file with the key BH> is probably the correct method of approaching this issue. 1) Wanting to be locatable is perfectly reasonable, but this technique is simply not going to work. Know why? Because that's not how people use PGP keys. Period. Nobody thinks "I want to talk to a lawyer privately, I check my keyring" because it's slow and inefficient, and unlikely (in most cases) to work. They check the phonebook, under "Lawyer". Or they check a directory server (and e-mail phonebook, if you will). More on that below. BH> The problem with initiating a conversation to determine who BH> a person is centers on the anonymity of pgp keys and BH> communication. If I would like to communicate with a BH> particular person, I probably already know that person and BH> what I would like to say to that person, and why it must be BH> confidential. If I have a particular need to communicate on a BH> particular topic, and I wish that not everyone have access to BH> the contents of my communication, then the issue is twofold; BH> first that I can find the right person to meet my needs, and BH> second that the person I find is actually that person and not BH> some government agent masquerading as a human. :) If 2) Again, that's not how anybody (except apparently you) does it. Most people get a reason to talk to someone, *then* check to see if they use PGP. Ninety-nine percent of the keys on the servers belong to people who DON'T want PGP used a penpal service. Do that and you will infuriate complete strangers. Not good. BH> sufficient information is placed in the id section of a public BH> key, then the first of these two criteria is facilitated. The BH> second is still up to the individuals. In other words, if you BH> have a large key ring filled with "John Smith" and "Gaylord BH> Perry" how would you know to whom to write in code in BH> order to learn how to throw a spit ball in major league BH> baseball unless you already knew the person. I suggest that BH> the type of expertise you have should be placed in the id field BH> to further identify the person and demonstrate WHO THAT BH> PERSON IS by identifying the person not only by name but BH> also by expertise, etc... 3) Basil, you're repeating yourself a lot, and you *are* getting a little verbose. (Don't your hands cramp up typing all that?) If I need to communicate with Gaylord Perry, I find somewhere I can "look him up" that tells me who he is, where he is, and which PGP key is his. The information in a directory server is also easier for Perry to update when he changes teams, so it's more likely to be correct. (You do know how that once your key gets to a keyserver, all that userid is there *forever*, don't you?) That's another plus for directory servers. BH> Memory and the limitations of PGP may be a valid concern. 4) They are one of the *most valid* concerns. If your key is causing software/hardware problems, you are causing problems. You don't want a reputation for causing problems, do you? (You're getting one.) BH> Well, Phil Zimmerman is well known to those who would use BH> PGP, as is Bill Clinton and Mitch Kapor and other celebrity BH> figures. If you were seeking to communicate with BH> cryptologists, I would think that in the living memory of BH> individuals, the name Phil Zimmerman is already identified BH> with cryptology. This is not true for the vast majority of BH> people. Besides, he just started this Frankenstein. It now has BH> a life and a will of its own. 5) Finally, the ultimate reason people are NOT going to use keyrings as a method for "finding" people: There are already much better ways on the Internet. X.500 databases, CSO/PH phonebooks, the SLED, etc. Your problem here is that you have to get to the Internet and see how to do these things right. (As an aside, fidonet.org is really low-prestige address. Very few PGP users outside FidoNet are going to take seriously someone who does all his advertising through FidoNet. Find an internet provider for business.) One of the directory methods I mentioned, SLED (AKA the Four11 database) is fairly simple to get a listing in. Send mail through an internet gateway to info@Four11.com and they'll send you some details. They're also very pro-PGP (they run their own members-only key-server), so you can kill two birds with one stone. There. That's a reasonable start to making your identity known. Horrendously huge userids are not. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: The legal_kludge is dead! Upgrade, already! iQCVAwUBLtJiScRHZFQbZSuZAQENeAP9FuZSfewuZkoLeoWVn/iX2lvCH4DZKxnQ SECEpntn900XoJeXsOl7O+nEMGLnsd+ZD2Y7QTxKa6Lp446yP9V8iejDJmG+v60N qkV0YnoFA3PTgmgNBuBTrksGf7xvmOypyO2/0nDZj1sqBcACEpf3sBWK+KrILfwm 7uGU2eTHmUs= =Zxxz -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... Smile!! Big brother is watching. 201434369420143436942014343694201434369420143436942014343694718