[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key for Alice as promised (not)



Alice here ...

Sorry to follow up on my own post, but I made a boo boo.  A real, big
boo boo.

On Wed, 29 Nov 1995 [email protected] wrote:

> On Wed, 29 Nov 1995, Adam Shostack wrote:
> >
> > 	I don't follow.  You're claiming that PGP is good enough to
> > transfer OTPads, but not good enough to sign pseudononymous messages?
> 
> Sure. Two different situations.
> 
> If I take a message or a data tape and encrypt it with a one time pad.  
> 
> And then I send the message out to someone via Greyhound or DHL.
> 
> And once they've confirmed that they have the encrypted message safely in 
> hand, then I'll call them and ask them to call me with their public key
> delivered by voice via telephone.

Actually, I made a big mistake here.  It's not good enough for me to
call them.  Usually I have them first call me, and then I call them
back.

I learned to do this in real-estate when I had my property management
company.

Very often, someone would call the office, and say something along the
lines of "This is Constable Acheson, from the Calgary City Police.
Could you please tell me the forwarding address of your former tenant,
Alice" (or Bob, or whatever).

My standard response always was to ask for whoever identified himself
as "Constable Acheson" to provide his division.  Then I'd hang up,
check the number for the main switchboard in the phone book and then
call him.  This way, I'd be sure it was actually him, and that he was
calling from where he claimed.

You'd probably be surprised (or maybe not) how many times, there was
no such Constable.  Luckily, I just didn't give out my information to
just *anyone*.

And the same stuff applies here ... with reading and verifying the key
over the telephone.  With the phone call there should be a hangup and then
some third-party authority to confirm that the channel of communication is
*really* a valid channel. 

Sorry, about leaving that part out.  

It was a boo boo, eh?  But it's important, RL stuff.

> Which I then use to encrypt the one-time-pad, using the PGP key only once.
> 
> Then, I'm comfortable sending it (not the message, but the pad) over the 
> Internet encrypted with PGP.  And I think at that point, I have Pretty 
> Good Privacy.
> 
> > Adam
> > 
> > -- 
> > "It is seldom that liberty of any kind is lost all at once."
> 
> 
> 
> Alice de 'nonymous ...
> 
>                                   ...just another one of those...
> 
> 
> P.S.  This post is in the public domain.
>                   C.  S.  U.  M.  O.  C.  L.  U.  N.  E.
> 

Yep, it was the real me this time ... and no, I didn't add another
"signature" encrypted or not encrypted to the bottom of this post. 

Let me ask this though??  Would the "quality" of my post changed one way
or another, if this was signed, or not?? 

IMHO, the message should make sense (or not) either way.

                           ... Alice ...