Re: using PGP only for digital signatures

["Perry E. Metzger" <perry@piermont.com>]

James Black writes:
>   I am in a discussion (during the week) with a system administrator 
> about seeing if we can just make PGP publically available to everyone, 
> but now the discussion seems to be to just allow PGP to do digital 
> signatures, and I don't think that is the best choice, then.  They are 
> not against PGP being used, but there are legal issues as to whether they 
> can offer it to everyone, as some students are international students, 
> and are not allowed to use the version for the US, or so I have been 
> informed, so now I need to see if we can have the international version, 
> so these students can use it. :(

Actually, nothing in the ITAR says foreigners can't USE the
U.S. version of PGP, just that you can't give them the software.

However, I think it is a bad idea to make PGP available on a multiuser
computer. It encourages a very, very bad habit -- that of using PGP on
a multiuser computer....

> What they are trying to do is make certain that no 
> one can send a message to anyone, claim to be in the faculty, and cause 
> problems that way.

But since you are using this software on a multiuser computer over
likely insecure lines, or, even worse, over an insecure LAN, all you
are going to do is make things even stickier when someone steals a key
and starts pretending to be some faculty member anyway.

Don't use public key software on untrusted hardware over insecure
links. Its a BAD BAD BAD thing.

Perry