[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP in UK - snooped as unSTEALTHed?

To: [email protected]
Subject: Re: PGP in UK - snooped as unSTEALTHed?
From: Bill Stewart <[email protected]>
Date: Fri, 15 Sep 1995 00:23:43 -0700
Cc: [email protected]
Sender: [email protected]

At 06:29 AM 9/12/95 -0400, Perry wrote, replying to Gary:
>>    When are the PGP designers and coders going to get serious
>>    and develop STEALTH PGP inside PGP itself!?
>Never, I hope. It would dramatically lower the utility of the
>system. Can you imagine how disgusting it would be to try decrypting
>something if you have a dozen keys outstanding? 

I disagree - if it's done right, the degree of stealth can be
user-selectable, and even moderately stealthy options can tell
which key to use without giving away much information.  (For instance,
4 bits of keyid isn't very revealing, but will tell you which one or
two of your dozen keys to try.)  Have the most non-stealth options
indicate that it's PGP-encrypted and addressed to keyid 0x12345678,
Joe User <[email protected]>, blah, blah.

The basic problem is that stealth wasn't an original design criterion,
so many parts of the PGP data format reveal at least that PGP is
being used, and occasionally other information as well.  Some things
are easy to work around (----- BEGIN PGP etc.), and some aren't.
Changing this takes a substantial amount of redesign.

>Not to mention how
>hard it would be to deal with figuring out that you should even try to
>decrypt things in the first place.
As you say a couple paragraphs later:
>If someone sees a bunch of random numbers in mail sent by me, it's going 
>to be pretty obvious what the hell is inside anyway.
Similarly, if someone emails you a bunch of random numbers....

>I very much see this whole thing as a non-issue.

Most of the time, for most users now, it's not an issue.  
But there are people who will need to hide encrypted messages, 
and as anti-privacy laws in the US become stronger, that may be us.
Is this an issue for PGP 3.0.1, or an issue for Privacy:TNG?
Probably the latter, given the state of the PGP world,
and certainly ranting at the developers to do it now is uncool.
But it should be a design goal.
#---
# Bill Stewart, Freelance Information Architect, [email protected]
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---

Prev by Date: Re: Why ecash is traceable
Next by Date: Check Cloning frenzy and attack on anonymous accounts
Prev by thread: Re: PGP in UK - snooped as unSTEALTHed?
Next by thread: anyone got a cpunk URL for the UK munitions T?
Index(es):
- Date
- Thread