From ld231782 Fri Nov 19 18:33:39 1993 Return-Path: Received: from parry.lance.colostate.edu by longs.lance.colostate.edu (5.65/lance.1.5) id AA27198; Fri, 19 Nov 93 18:33:32 -0700 Message-Id: <9311200133.AA27198@longs.lance.colostate.edu> To: cypherpunks@toad.com Cc: ld231782 Subject: PRZ on Pseudospoofing Date: Fri, 19 Nov 93 18:33:31 -0700 From: "L. Detweiler" X-Mts: smtp Mr. Zimmermann gave a fantastic talk yesterday to a packed house at a Boulder (CO) Unix meeting. I really am extremely depressed that none of the CA cypherpunks showed up (NOT! ). He talked about the complex issues associated with his program. He's opposed to the Internet PEM standard because it is a weaker standard than PGP in the sense that it has a standard initialization vector, exposes recipients & senders of messages in plaintext (if I'm not mistaken, sorry, I'm not an expert but do play one on the cypherpunks list). Interestingly, he said that he thought that RSA was somewhat afraid of him because (according to an insider) they didn't want to confront his `folk hero' status. Mr. Zimmermann also had many comments on America as a police state. Unfortunately, I missed most of the talk because I am rather feckless in real-world navigation vs. cyberspace and had a difficult time zeroing in on the meeting geography coordinates (hee, hee). I would have taken copious notes that would have shamed the best CA cypherpunk and reported them wholesale if I had got there in time. I would be interested in hearing anyone else's impressions of the meeting. Mr. Zimmermann appeared to be somewhat sympathetic to my concerns about pseudospoofing, particularly on the part of cypherpunks. He entertained my suggestion of `signature revocation certificates' that would spread virus-like to revoke trust through the `web of trust' when someone realized they had been spoofed (betrayed). He seems to think that as long as everybody follows the guidelines in the PGP documentation, the `web of trust' would not really ever be corrupted. But he seemed to come around in thinking that a `signature revocation certificate' might lead to a more dynamic and responsive (and hence pure) web of trust. An audience member asked Mr. Zimmermann if his arrangement with ViaCrypt and licensing of RSA patents was `making stronger' RSA Inc. and (implicitly) their stranglehold lock on public key patents. He replied that the agreement actually made PGP stronger. BTW don't `harass' Mr. Zimmermann over any features, at least don't expect to see major revisions soon, they are all on the top of the queue while he is in the `promotion of Viacrypt' stage vs. the `major development and feature push' stage. ===cut=here=== To: prz@acm.org Subject: a simple question Date: Wed, 17 Nov 93 22:11:31 -0700 From: "L. Detweiler" [Some] cypherpunks have made it clear to me they condone, and perhaps widely practice, the following scenarios related to PGP: 1) real people signing imaginary identity's keys. I.e., I could make up different identities (pseudospoofing) and sign their identities, and have others sign these identities. 2) putting imaginary identities on the key servers. do you have some kind of opinion on these practices? they seem rather dishonest to me, to say the least. But what do I know? Subject: Re: a simple question To: ld231782@longs.lance.colostate.edu (L. Detweiler) Date: Thu, 18 Nov 93 1:39:13 MST From: Philip Zimmermann It's not something I would do myself. It strikes me as having potential to lead to bad situations, as you have described in earlier notes. I prefer to deal with people only as my real self. It strikes me as unethical if used in fraudulent ways. That's my opinion. [...] Regards, Phil