On Fri, Aug 23, 2002 at 04:59:27PM -0700, Brendan Moran wrote:
> Any personal information that the user wishes to share could be posted on
> their piclist.com webspace, thus rendering signatures containing personal
> information useless.
>
agreed, although a couple of lines of company name and title doesn't harm and
can be useful to put posts into context (is this guy a professional/hobbyist
etc)

> Authentication on this list is not terribly important, but for some people
> can be a force of habit.  For me, I wanted to use the "sign all outgoing
> messages" option with the PGP plugin I have.  Sending unsigned mails to the
> list means I either have to select the signature option for all non-piclist
> email, or deselect the signature for all piclist email.  It's simply easier
> for me to send signed emails to the piclist.
>
> As to the reliability of a PGP signature, so long as you have the public key
> from a trusted source, or signed by a trusted source, the signature is
> reliable.
>
This is the problem with all PKI-based authentication schemes. What is the
trusted source? With a certificate authority based system you have a master
source of trust which is why it works well in enterpises and other closed
groups, and in some cases (but not very widespread or successful), national
banking or government organisations. PGP generally uses a different model, the
web of trust where you have one person sign another's cert who can then sign
another's etc etc. This way, if you trust user A, then you can trust B,C,D if
A signed their certs.

This is a nice idea, but again tends to have limited usefulness outside the
geek community.

> I, personally, use 2048-bit encrypted email to anyone who can recieve it. I
> do this for two reasons:  the first is that I do care a bit about my
> privacy, and the second...
>
Your email is not encrypted using 2048 bits. The PGP plugin generates a
message key and encrypts it once for each recipient with the 2048-bit
assymetric algorithm. Your actual email text is encrypted using a symmetric
algorithm, usually 3DES these days. This is for two reasons. Firstly, if you
used the assymetric algorithm to encrypt the email, you would have to have a
full copy for each recipient. Not good if you're sending a 1M pdf to 100
people. Secondly, the assymetric algorithms are 100's of times slower than
3DES. This is more of an issue in real-time encryption, but still holds for
email.

> There was a rumour a while ago, how true it was, I do not know.  It stated
> that the US government was considering declaring encryption a tool that only
> terrorists use, and therefore outlawing it.  Also, I remember hearing about
> a statement from some branch of the US govornment said that Americans could
> not expect privacy in their email.
>
This is definitely not a rumour. For years, export of DES with 56-bit keys
outside of the US was prohibited - this included any software or hardware
using it. Even though the algorithm was well published, the US government saw
a day when they would lose the ability to tap terrorist conversations (and of
course all the bad guys are outside the US)

This is now officially not the case, for DES, 3DES and the new AES standard,
Rijndael which is a Belgian-designed algorithm which won the recent contest to
find a replacement for 3DES for worldwide use. However in France for example
where I live, there is still a lot of paperwork to be filled in which often
makes business very difficult to do in this area.

> So, A)  If enough people use encrypted email on a regular basis, then
> encryption cannot be declared a tool of terrorists, and B) I don't want
> people snooping in my private email.
>
> I know I'm a bit of a conspiracy theorist, but, I think it's healthy to have
> some skepticism as to the trustworthyness of email, and PGP gives a good
> step in the right direction.
>
That's the whole thing behind PGP right? The problem is that you and me doing
it doesn't really make a difference. The governments were really swayed by
commercial pressure from large networking equipment and software vendors who are
increasingly offering virtual private networking services which (often) rely
on encryption to provide their services.

> --Brendan
>
> --
> http://www.piclist.com#nomail Going offline? Don't AutoReply us!
> email listserv@mitvma.mit.edu with SET PICList DIGEST in the body
>
>
>

--
http://www.piclist.com hint: To leave the PICList
mailto:piclist-unsubscribe-request@mitvma.mit.edu