[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto-pgp for pine/elm/tin (fwd)


On Fri, 25 Aug 1995, P.J. Ponder wrote:

> Date: Fri, 25 Aug 1995 21:52:47 +0100
> From: P.J. Ponder <[email protected]>
> To: [email protected]
> Cc: [email protected]
> Subject: Auto-pgp for pine/elm/tin (fwd)
> In Garfinkel's book, he talks about the risks of running PGP on a 
> multiuser system where others (sys. admins, eg) have higher levels of 
> authority than you do.  I have PGP installed on my pc and if I want to 
> use it, I can save the message in ascii, then upload it to the server 
> where I have my Internet account, then mail it.  maybe not entirely 
> transparent, but at least it seems to me that the convenience of running 
> it on the server with something like Mr. Wilcox's BAP is not worth the 
> added risk.  Besides, how often do you need to use it?  
> --
> pjp

the risks etc of using pgp on a multiuser platforms are well known. 

i'd say it's better to have a pgp signed mesg than an unsigned one.

if you post a lot, or mail a lot, that's a lot of mesgs to sign.
finding a tool to do this more easily than using pgp through the shell
interface is 'a good thing'.

given that, here are some args for signing on a multiuser platform.

often, people (me included) choose to use a separate 'weak' key for 
these purposes.  it's always nice to have some sort of indication that 
that is what the key is for.  i had a key with 'INSECURE KEY!!' tagged 
on the end of my userid.  i had another for secure communications.

now, you can't stop some sysop type person from doing whatever to you.
that's the way it goes.  but, if you've got a really malicious sysop,
they could just spoof you to the world, including making up a key
supposedly from you.  if they posted enough crap using that key people
would begin to think that they are really you or that one of you is
lying and to hell with both of you.  this sort of denial of service
attack is an unlikely event (unlikely for a sysop to do - someone else
is a diff matter).

finally, independent of multiuser platforms, the signing utilities are
quite useful for people like me who have their own personal unix box
on the net.

- -pjf

patrick finerty = [email protected] = [email protected]
U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA!
** FINGER [email protected] for pgp public key - CRYPTO!
zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=->  http://zifi.genetics.utah.edu 

Version: 2.6.2