[42917] in Cypherpunks

home help back first fref pref prev next nref lref last post

Re: using PGP only for digital signatures

daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Sun Nov 5 11:15:47 1995

To: James Black <black@eng.usf.edu>
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Sat, 04 Nov 1995 16:12:43 EST."
             <Pine.SUN.3.91.951104155911.2413A-100000@fourier> 
Reply-To: perry@piermont.com
Date: Sun, 05 Nov 1995 11:11:44 -0500
From: "Perry E. Metzger" <perry@piermont.com>


James Black writes:
>   I am in a discussion (during the week) with a system administrator 
> about seeing if we can just make PGP publically available to everyone, 
> but now the discussion seems to be to just allow PGP to do digital 
> signatures, and I don't think that is the best choice, then.  They are 
> not against PGP being used, but there are legal issues as to whether they 
> can offer it to everyone, as some students are international students, 
> and are not allowed to use the version for the US, or so I have been 
> informed, so now I need to see if we can have the international version, 
> so these students can use it. :(

Actually, nothing in the ITAR says foreigners can't USE the
U.S. version of PGP, just that you can't give them the software.

However, I think it is a bad idea to make PGP available on a multiuser
computer. It encourages a very, very bad habit -- that of using PGP on
a multiuser computer....

> What they are trying to do is make certain that no 
> one can send a message to anyone, claim to be in the faculty, and cause 
> problems that way.

But since you are using this software on a multiuser computer over
likely insecure lines, or, even worse, over an insecure LAN, all you
are going to do is make things even stickier when someone steals a key
and starts pretending to be some faculty member anyway.

Don't use public key software on untrusted hardware over insecure
links. Its a BAD BAD BAD thing.

Perry

home help back first fref pref prev next nref lref last post