Re: Timothy C. May: Mini-mailbombs and Warning Letters

[Travis Corcoran <tjic@OpenMarket.com>]

-----BEGIN PGP SIGNED MESSAGE-----

Message-Signature-Date: Wed Sep 27 12:28:47 1995

>  Date: Tue, 19 Sep 1995 10:57:32 -0700
>  To: cypherpunks@toad.com
>  From: tcmay@got.net (Timothy C. May)
>  Subject: Mini-mailbombs and Warning Letters
>  
>  I've received a couple of "automatically generated" pieces of
>  e-amil which tell me that, in the generator's opinion, something is
>  wrong with my public key, or it could not be found at the keyserver
>
>  As the saying goes, "Sigh."
>  
>  Being on a list with 700 subscribers, some of whom are running
>  increasingly sophisticated automatic checking agents, I foresee an
>  increase in these "warning letters" from their checking agents who
>  feel posts are not adequate in some way.

As the author of the package in question, I would like to point out:

(1) the email msg Tim refers to (hereafter refered to by me as "query-mail") 
		was a request for information, not a warning

(2) the query-mail did not refer to any inadequacy in the original
		posting.  It explicitly refers to the fact that the original poster
		PGP signed a message, but did not make the public key to verify the
		message easilly available.

(3) the query-mail was sent to an actual person only after several
		non-intrusive methods had failed.

(4) checking right now, I find that the finger command does indeed
		fail to get a public key from Tim's address.

(5) checking right now, I find that BAL's keyserver does indeed fail
		to give any key with the address "tcmay@got.net"

(6) the query-mail is not a purely robotic spam: there is a human in the loop

(7) the keyserver used by query-mail generator defaults, not to some
		arbitrary preference, but to BAL's keyserver, which is the most used
		server that I know of, and which (to the best of my knowledge)
		receives regular updates from several other keyservers.

(8) given that "increasingly sophisticated automatic checking agents"
		can make it much easier for individuals to gather keys, check
		incoming messages, and sign or encrypt outgoing messages, it
		seems that such "agents" tend to increase the usage and
		acceptance of cryptography, which is a good thing for all
		concerned.


A question: in a situation like this one, where an individual signed a
message with a key then did not make a key with the return address of
his message available either through his .plan, or a keysever (the two
de facto standards), what next step -if any- do people think is more
appropriate than sending mail to the individual asking them for a copy
of the key ?

>  I'm dealing with it the same way I'm dealing with the few people
>  who have something in their MIME setup that triggers my mailer
>  (Eudora Pro 2.1) to treat their text as attachments. Namely, by
>  filtering them out.

This is a fine anarchistic solution to the problem (and that's a
compliment!), from your point of view (although, I hasten to point
out, not quite as good as submitting a key with a valid address on it
to a keyserver).  If anyone else wishes to ignore requests for keys,
the subject string to add to your email kill-file is

		"please send me your PGP public key"


Because I do think that automating parts of the the
encryption/signing/verification/decryption/key-retrieval process will
make cryptography more wide-spread (in so far as there is not a
backlash against this automation), I do not want to ignore the
concerns of others.

So...how would people do things differently if they were writing this
sort of software?  One idea proposed by Jiri Baum
<jirib@cs.monash.edu.au> is to find the key ID used to sign the
message, and then query the keyserver with this ID, as opposed to an
email string.  I'm not sure whether or not I like this idea (for
security reasons), but that question is moot, as it seems to be
impossible given the current keyservers.

Any other suggestions or ideas?

- -- 
TJIC (Travis J.I. Corcoran)       http://www.openmarket.com/personal/tjic/

                             Member EFF, GOAL, NRA.
                 opinions (TJIC) != opinions (employer (TJIC))
         "Buy a rifle, encrypt your data, and wait for the Revolution!"
	 PGP encrypted mail preferred.   Ask me about mail-secure.el for emacs.



-----BEGIN PGP SIGNATURE-----
Version: 2.6
Comment: auto-signed by mail-secure.el v 0.998 using mailcrypt.el
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMGl7wIJYfGX+MQb5AQErpQP/XvoJ0QF4TEtPhJuxk5ifsUlXrl4RSvyP
dFh1MkTQWl4/D+jFHI0MW+gyi2/EmzxEW+8zYUCLENBIq8H3QJgQDnQ9NRM3JiGU
c9yd4EeE9bH8r+KppF5WfJfuE4hJ6YFRO0sdal0oJs3RfuF2ZIHoLoKPR5G97EGv
dmWg2J784ZM=
=xnv7
-----END PGP SIGNATURE-----