Re: Open letter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "Ihnen, David" wrote: Maybe an extra-low-effort system would consist of a simply speaking a keyword into a microphone I would find this more troublesome than typing my passphrase. - -- David Nicol 816.235.1187 [EMAIL PROTECTED] Originator of the world's first combination bassinet and table saw -BEGIN PGP SIGNATURE- Version: perl -pe '$_=unpack("u*",$_);' Comment: 92G5S="!!;F]T:5R(%!EFP@2%C:V5R"@`` iD8DBQE5kDOHJiOJhroV3bkRAtpcAJ4zQtG9qz925plFbbrtWEwveK38LwCeKjnf /TkbHsLEy4a1ZK+yQ4mYl1k= =DSp0 -END PGP SIGNATURE-
Re: [offtopic?] RE: Encryption (was: Open letter)
Adam McKenna [EMAIL PROTECTED] wrote: On Mon, Jul 31, 2000 at 06:04:12PM -0400, Michael T. Babcock wrote: Use any version of PGP or "PGP for Windows" and use the clipboard encryption features: 1) select all text (Ctrl-A) 2) "copy" (Ctrl-C) 3) click on PGP tray icon 4) click "sign encrypt" 5) enter password 6) click window of program with selected text 7) "paste" (Ctrl-V) (replacing original with encrypted + signed cipher-text) It's not even this complicated with 6.5. You click on the window whose text you want to encrypt, click on the try icon, and click "encrypt window" (or something like that). PGP automatically does the copying and pasting for you. Still too hard. The way it *should* work is that I click "Send", a pop-up asks me for my pasword, and the message is sent signed and enrypted. -Dave
Re: [offtopic?] RE: Encryption (was: Open letter)
True -- but that would require the countries the software manufacturers do business in to relax their export regs. and allow for open encryption hooks in their tools. Dave Sill wrote: It's not even this complicated with 6.5. You click on the window whose text you want to encrypt, click on the try icon, and click "encrypt window" (or something like that). PGP automatically does the copying and pasting for you. Still too hard. The way it *should* work is that I click "Send", a pop-up asks me for my pasword, and the message is sent signed and encrypted.
Re: Open letter
Patrick Lambert [EMAIL PROTECTED] wrote: Each SMTP server could compute a random set of keys when it is installed, and a simple new command could be added to retrieve the public key. When any connection is made between the servers, a public key would be fetched. If the remote server has not been upgraded and does not support PKI, then the transmission would continue in a normal way. If both servers support it, then encryption could be established, automatically, using PKI. Congratulations, you've just reinvented RFC2487: http://www.ietf.org/rfc/rfc2487.txt qmail patch available from: http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch -Dave
Re: Open letter
Agreed: PGP (et. al.) is definately the answer, not server-to-server encryption. However, properly authenticated DNS (or an evolution thereof) and resulting authenticated (S/Q)MTP sessions would be a leap forward as well. [EMAIL PROTECTED] wrote: The problem with your solution is that server to server encryption does not stop government and big corporations from looking at your mail on the mail server after it has arrived. Ask any system admin how hard it is to scan /var/mail or a users home directory. Answer, it's trivial.
Re: Open letter
Blackey [EMAIL PROTECTED] wrote: " The Bill means the UK government - specifically the Home Office and Home Secretary Jack Straw - can demand encryption keys to any and all data communications, with a prison sentence of two years for those who do not comply with the order. (source "http://uk.news.yahoo.com/000728/101/aedvu.html")" Yow. Well, you could always move to a free country. Luckily, one's already been set up for you. :-) Most email transmitted now doesn't require PGP protection, (or warrant it). I know that with the amount of email I get in a day, I wouldn't want the extra overhead of having to decrypt it all. Ah, but if you only encrypt the stuff that needs to be encrypted, you're waving a red flag and saying "Hey, look! I've got something to hide!" Better to encrypt everything you can and keep the spooks guessing. The overhead should be acceptable with modern hardware--and well worth it to preserve your privacy. -Dave
Re: Open letter
And unfortunately, zero-effort security is, with current technology, an oxymoron. Swipe-card key systems that do the authentication would be low-effort. Retina scanning cameras built into your monitor to do authentication would be low effort as well. Until then, people have to decide if its worth their effort or not. [EMAIL PROTECTED] wrote: Key management is a non-zero effort, installation is a non-zero effort, cost is a non-zero effort and actual usage is a non-zero effort. Total transparency is what I define as "easy to use" in the context of the average email user (who probably has an email address at AOL). I'm afraid anything less won't get there.
RE: Open letter
Would you consider PGP more than a low-effort? It would be zero effort if we weren't concerned about the privacy of our own secret keys, thus keeping them encrypted behind passwords. Maybe an extra-low-effort system would consist of a simply speaking a keyword into a microphone, and using voiceprint authentication to decrypt the secret keys. Fortunately almost all computers have the ability to read in decent quality audio. Sending to particular people is no effort - the public key aquisition can be automated. Its interesting to think of the change in load on list servers. Would you encrypt to the list server, who then decrypts and re-encrypts for each client, or would there be a collaborative key for the list that everybody had the secret to and could decrypt? More probably we would just cleartext-sign the messages for source authentication, for backwards compatibility, I suspect. Either way, it can be zero-effort for the people generating the e-mail, outside of authenticating your personal secret key, though accepting the e-mail has the same effort problems. I would be signing my messages pgp, if I could, but I haven't gotten ahold of PGP 7 yet... and the earlier versions don't work on 2000. David -Original Message- From: Michael T. Babcock [mailto:[EMAIL PROTECTED]] Sent: Monday, July 31, 2000 9:06 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Open letter And unfortunately, zero-effort security is, with current technology, an oxymoron. Swipe-card key systems that do the authentication would be low-effort. Retina scanning cameras built into your monitor to do authentication would be low effort as well. Until then, people have to decide if its worth their effort or not. [EMAIL PROTECTED] wrote: Key management is a non-zero effort, installation is a non-zero effort, cost is a non-zero effort and actual usage is a non-zero effort. Total transparency is what I define as "easy to use" in the context of the average email user (who probably has an email address at AOL). I'm afraid anything less won't get there.
Re: [offtopic?] RE: Encryption (was: Open letter)
Potentially long, off-topic message: (follow-ups and/or flames probably best kept private :) "Ihnen, David" wrote: Would you consider PGP more than a low-effort? It would be zero effort if we weren't concerned about the privacy of our own secret keys, thus keeping them encrypted behind passwords. Personally? Using PGP is very low-effort for me. Typing my 25+ character passphrase has become reflexive. I've run a site re: PGP use since my first website in 1993 or so, so I'm probably not a good test-case. :-) Maybe an extra-low-effort system would consist of a simply speaking a keyword into a microphone, and using voiceprint authentication to decrypt the secret keys. Fortunately almost all computers have the ability to read in decent quality audio. Sending to particular people is no effort - the public key aquisition can be automated. I saw some very interesting matrix-mapping software back in 1994 and 1995 for DOS that converted individual words (expandable to phrases) into vectors (stored as matrices) that could easily be compared against a stored file for each person. The idea was to do the "opposite" of voice-to-text recognition software and store the portion of audio that is unique for each user instead of using primarily the part that is similar. Its interesting to think of the change in load on list servers. Would you encrypt to the list server, who then decrypts and re-encrypts for each client, or would there be a collaborative key for the list that everybody had the secret to and could decrypt? More probably we would just cleartext-sign the messages for source authentication, for backwards compatibility, I suspect. Assuming, like the original 'open letter' poster, that you don't want others to snoop on the messages (but their being a subscriber to the list is "okay"), then you'd want a public key for the mailing list that all messages are encrypted to. The mailing list would decrypt the session key for the message (PGP only requires using CPU intensive P.K. cryptography to sign a session key). It would then re-encrypt the session key (effectively, the message) to the public keys of each of the recipients on the list. (It would not need to necessarily verify the sender's signature, to avoid decrypting messages at all). The sender's signature (if used) would be intact in the encrypted message and each person would be able to verify for themselves that that user had sent 'them' the message in question. The CPU intensive portion would be encrypting the session keys to everyone on the list. Assuming the old PGP protocol, that would mean doing 1024 (or more) bit RSA on a 128 bit session key (16 bytes). Either way, it can be zero-effort for the people generating the e-mail, outside of authenticating your personal secret key, though accepting the e-mail has the same effort problems. I would be signing my messages pgp, if I could, but I haven't gotten ahold of PGP 7 yet... and the earlier versions don't work on 2000. Use any version of PGP or "PGP for Windows" and use the clipboard encryption features: 1) select all text (Ctrl-A) 2) "copy" (Ctrl-C) 3) click on PGP tray icon 4) click "sign encrypt" 5) enter password 6) click window of program with selected text 7) "paste" (Ctrl-V) (replacing original with encrypted + signed cipher-text)
RE: [offtopic?] RE: Encryption (was: Open letter)
most recent PGP for windows install worked fine on win2k for me. Put it on last week. Jacob -Original Message- From: Ihnen, David [mailto:[EMAIL PROTECTED]] Sent: Monday, July 31, 2000 3:16 PM To: '[EMAIL PROTECTED]'; Ihnen, David Cc: '[EMAIL PROTECTED]' Subject: RE: [offtopic?] RE: Encryption (was: Open letter) Original Message From: Michael T. Babcock on Monday, July 31, 2000 3:04 PM I would be signing my messages pgp, if I could, but I haven't gotten ahold of PGP 7 yet... and the earlier versions don't work on 2000. Use any version of PGP or "PGP for Windows" and use the clipboard encryption features: 1) select all text (Ctrl-A) 2) "copy" (Ctrl-C) 3) click on PGP tray icon 4) click "sign encrypt" 5) enter password 6) click window of program with selected text 7) "paste" (Ctrl-V) (replacing original with encrypted + signed cipher-text) Maybe you didn't understand what I said... I can't even INSTALL the current pgp for windows. It don't work. Installer doesn't run. David
Open letter
Greetings, This is an open letter to the developers of the main SMTP servers that are used all over the Internet. In recent years, we have all seen in the news the many instances where our privacy has been compromised by big corporations or governments. Some recent examples include the recent survey results that showed over 50% of corporations in the USA check their employees Internet usage and e-mails, the Carnivore system from the FBI, aimed at checking e-mails for potential criminal activity, and the UK law that would force the ISPs to send all e-mails from everyone to the government. This is without even talking about the many crackers who use sniffer to peak in on e-mails while they are in transit. The traditional response from the geek community has been to promote e-mail encryption such as PGP. Unfortunatly, this has not worked well because for normal end users, encryption is not an easy task. The encryption software has to be installed, and each correspondant needs his or her own key published. This is where my suggestion comes in. Every SMTP server should build in their own public-key encryption algorithm, to encrypt all transmissions between mail servers. This would cut down on 50% of all security problems, and on the common fact that e-mail is like sending a post card over the Internet. The way to implement this is not with third party software or optional SSL add-ons. This needs to be a feature which by default is turned on. Each SMTP server could compute a random set of keys when it is installed, and a simple new command could be added to retrieve the public key. When any connection is made between the servers, a public key would be fetched. If the remote server has not been upgraded and does not support PKI, then the transmission would continue in a normal way. If both servers support it, then encryption could be established, automatically, using PKI. Of course this is only a suggestion and cannot work unless the popular SMTP servers software implement it. It is an easy thing to implement Internet wise on the server to server side, since only a few server software programs exist. It could also be implemented on the server to client side if the client software makers would collaborate. Simply implement the same mechanism for connections to the client side and allow the client to see if the server software supports PKI. With the same public encryption standard used by every server, the client makers would implement support for it in no time. Thanks for your time, and I hope this open letter will be of benefit to save our freedom and privacy in the Internet world. Patrick Lambert IT Consultant Internet Society Member -- Patrick Lambert - Computer Scientist IT Consultant and Technical Writer Phone: (819) 696-2204 FAX: (425) 740-0422 __ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Re: Open letter
This is an open letter to the developers of the main SMTP servers that are used all over the Internet. In recent years, we have all seen in the news the many instances where our privacy has been compromised by big corporations or governments. Some recent examples include the recent survey results that showed over 50% of corporations in the USA check their employees Internet usage and e-mails The problem with your solution is that server to server encryption does not stop government and big corporations from looking at your mail on the mail server after it has arrived. Ask any system admin how hard it is to scan /var/mail or a users home directory. Answer, it's trivial. Since most users do not run their own mail servers, but access one via POP/IMAP, your solution will not affect the vast majority of people. The *real* solution is to use some form of end-to-end encryption. In other words, encrypt your email before it leaves your email program (whether it be on a PC, a server or a handheld device) in such a way that only the recipient can decrypt it. PGP and their ilk already provide this capability. What I do agree with is that doing this is currently way too hard for the average user and any efforts to make this easier are a good thing. But you need to direct your letter at the email client programmers rather then the email server programmers. Regards.
Re: Open letter
On Sat, 29 Jul 2000, Patrick Lambert wrote: compromised by big corporations or governments. Some recent examples include the recent survey results that showed over 50% of corporations in the USA check their employees Internet usage and e-mails, the Carnivore system from the FBI, aimed at checking e-mails for potential criminal activity, and the UK law that would force the ISPs to send all e-mails from everyone to the government. This is without even talking about the many crackers AFAIK, (and I could be wrong about this), the UK law also has a section about PGP, making it a felony to NOT produce your PGP key on demand. " The Bill means the UK government - specifically the Home Office and Home Secretary Jack Straw - can demand encryption keys to any and all data communications, with a prison sentence of two years for those who do not comply with the order. (source "http://uk.news.yahoo.com/000728/101/aedvu.html")" Most email transmitted now doesn't require PGP protection, (or warrant it). I know that with the amount of email I get in a day, I wouldn't want the extra overhead of having to decrypt it all. just my $0.02
Re: Open letter
On Sat, Jul 29, 2000 at 11:33:33AM -0700, [EMAIL PROTECTED] wrote: What I do agree with is that doing this is currently way too hard for the average user and any efforts to make this easier are a good thing. But you need to direct your letter at the email client programmers rather then the email server programmers. I would have agreed with this 5 years ago, but the current version of WinPGP for windows is so easy to use, that I don't believe this is the reason anymore. I think the majority of people don't use PGP/PKI for the following reaons: 1) They don't know it exists 2) They don't want to spend the money on PGP (if they're not eligible to use the freeware version 3) They just don't consider their privacy to be important enough to warrant the installation of a new software package. --Adam
Re: Open letter
On Sat, Jul 29, 2000 at 04:39:42PM -0400, Adam McKenna wrote: On Sat, Jul 29, 2000 at 11:33:33AM -0700, [EMAIL PROTECTED] wrote: What I do agree with is that doing this is currently way too hard for the average user and any efforts to make this easier are a good thing. But you need to direct your letter at the email client programmers rather then the email server programmers. I would have agreed with this 5 years ago, but the current version of WinPGP for windows is so easy to use, that I don't believe this is the reason anymore. I think the majority of people don't use PGP/PKI for the following reaons: 1) They don't know it exists 2) They don't want to spend the money on PGP (if they're not eligible to use the freeware version 3) They just don't consider their privacy to be important enough to warrant the installation of a new software package. Key management is a non-zero effort, installation is a non-zero effort, cost is a non-zero effort and actual usage is a non-zero effort. Total transparency is what I define as "easy to use" in the context of the average email user (who probably has an email address at AOL). I'm afraid anything less won't get there. Regards.