[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using PGP only for digital signatures
James Black writes:
> I am in a discussion (during the week) with a system administrator
> about seeing if we can just make PGP publically available to everyone,
> but now the discussion seems to be to just allow PGP to do digital
> signatures, and I don't think that is the best choice, then. They are
> not against PGP being used, but there are legal issues as to whether they
> can offer it to everyone, as some students are international students,
> and are not allowed to use the version for the US, or so I have been
> informed, so now I need to see if we can have the international version,
> so these students can use it. :(
Actually, nothing in the ITAR says foreigners can't USE the
U.S. version of PGP, just that you can't give them the software.
However, I think it is a bad idea to make PGP available on a multiuser
computer. It encourages a very, very bad habit -- that of using PGP on
a multiuser computer....
> What they are trying to do is make certain that no
> one can send a message to anyone, claim to be in the faculty, and cause
> problems that way.
But since you are using this software on a multiuser computer over
likely insecure lines, or, even worse, over an insecure LAN, all you
are going to do is make things even stickier when someone steals a key
and starts pretending to be some faculty member anyway.
Don't use public key software on untrusted hardware over insecure
links. Its a BAD BAD BAD thing.