9.582 security: PGP

Humanist (mccarty@phoenix.Princeton.EDU)
Mon, 26 Feb 1996 18:53:21 -0500 (EST)

Humanist Discussion Group, Vol. 9, No. 582.
Center for Electronic Texts in the Humanities (Princeton/Rutgers)
Information at http://www.princeton.edu/~mccarty/humanist/

[1] From: "Eric D. Friedman" <friedman@hydra.acs.uci.edu> (22)
Subject: A good book on PGP

[2] From: Andrew Armour <armour@pncl.co.uk> (105)
Subject: Re: 9.577 security & long-term preservation

Date: Mon, 26 Feb 1996 09:41:05 -0800
From: "Eric D. Friedman" <friedman@hydra.acs.uci.edu>
Subject: A good book on PGP

The person inquiring about a straightforward explanation of PGP will
probably want to pick up a copy of O'Reilly & Associates' book on the
subject. This book is exceptionally clear (if a little plodding at
times) and would in no way be over the head of a self-professed
neophyte (aren't we all?).

I've seen ORA books in every bookshop in my area, including the campus
bookstore. If you can't locate one, however, you could always order it
from their WWW site <http://www.ora.com> or at a 10% discount from
Amazon <http://www.amazon.com>.

Eric D. Friedman
Program in Comparative Literature, UC Irvine

My Public Key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2

mQCNAzCn6MoAAAEEALPJlQ+GmL89c9eZN1mgrN+NJRWP7ggEVNUDh72XMtS48Nsk FZB81vtKm7JwA1MQndNoPeoQ4hY3yePSTjR8zlgdazg2E+lXHNCz2yhu9zEMWTq0 m7pVLJfCrm7rh4lyEFZrouJ0S5Y0WOQ2Xkz4p0+pgzX/MnVz5XIz5+EYr96FAAUR tCNFcmljIEQuIEZyaWVkbWFuIDxmcmllZG1hbkB1Y2kuZWR1Pg== =Pfj4 -----END PGP PUBLIC KEY BLOCK-----

--[2]------------------------------------------------------------------ Date: Mon, 26 Feb 1996 19:11:43 +0000 From: Andrew Armour <armour@pncl.co.uk> Subject: Re: 9.577 security & long-term preservation

I hope the following is a balanced overview of PGP and its two main uses. I won't go into more detail in this forum, so if anyone wants to know more, please read the FAQ and experiment with the software.

1. Acquire the PGP software -- only commercial users have to pay for it -- install it, and generate a pair of keys, one private, the other public.

2. Send off your pubic key via e-mail to friends & associates, and perhaps to one of the PGP key servers at MIT, Oxford University, etc. You only have to email it to one server as the various key servers exchange data. There is no need to "inform [people] discreetly"; indeed, it's a good idea to make your public key available by "finger" command. Anyone can now use that public key to send you email and/or files confidentially; this is advisable for anything you wouldn't want to see posted on a campus bulletin board (e-mail is as public as a postcard). Similarly, you can send out private messages & files using the public key(s) of the recipient(s).

3. Separately, you can use PGP to append a digital signature to a message or file. This can be authenticated by anyone in possession of your public key. If it passes, the recipient knows that [a] the message/file originated from you, and [b] not one byte has been altered, whether intentionally or accidentally, since you "signed" it. A digital signature is thus much more reliable than its analogue counterpart and ideal for the distribution of e-texts, including dissertations and work-in-progress papers. You can even send yourself, by registered mail, a floppy with your digitally signed novel or blueprint for a better mousetrap.

4. For sending confidential student recommendations, exam questions, grades, book contracts, etc. by e-mail, you should combine encryption with a digital signature.

Further reading (incl. information on where to get PGP): http://www.prairienet.org/~jalicqui/pgpfaq.txt

<quote> PGP is very widely available, so much so that a separate FAQ has been written for answering this question. It is called, "WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP)"; it is posted in alt.security.pgp regularly, is in the various FAQ archive sites, and is also available from: ftp://ftp.csn.net/mpj/getpgp.asc </unquote>

> Date: Sun, 25 Feb 96 12:31:06 EST > From: "Peter Graham, RUL" <psgraham@gandalf.rutgers.edu> > Subject: Long-term preservation is non-trivial > >1. Technological preservation: AA says, i.a., >>"...we will always be able to read HTML pages, just as we can still >read WordStar files. Encoding is not really the problem."< > >Encoding is a serious problem. Word-processing programs, and therefore >texts, existed since mainframes in the '60s (I used them). One reason we have >few or no such texts from that time is that the technology is gone.

If by "technology" you mean hardware, we are in perfect agreement. The FDDs and CD-ROM drives will be made redundant, so we should put our e-texts and dissertations on-line. As long as we can ftp those old CP/M WordStar files, we'll have no problem reading them. Conversion programs and import filters abound. And for something a little exotic, a filter can be made. Perhaps even the original software can be run under emulation for viewing, printing or exporting. This is what I mean by saying that encoding is not really the problem. I don't imagine anyone in 2045 will be defeated by 1995 HTML encoding merely because they don't have Netscape. More likely, they'll be worrying how to extract data from a disintegrating plastic disc for which no single-side single-density CD-ROM drive survives.

>2. Archives, security and PGP: AA is adamant that PGP (the privacy scheme, >involving digital signatures) has "proved itself to be more than adequate". >I'm sure that's true. But it's not the tool for the problem I'm proposing >(it's not the right hammer for this nail). His response in 9.565 notes my >first two problem presentations (change in software and multiple names) but >has no response to them.

I beg to differ. I did respond. The change in software at MIT has nothing to do with PGP and is trivial: the new instructions explain quite clearly that GET should be used instead of MGET. If you find this a challenge, use the Oxford server instead. Or perhaps one of the WWW sites that supplies public keys on demand. Or ignore the servers completely, as PGP does not depend on them. As for multiple names, I explained that this isn't a problem as each key has a unique ID. If you doubt the word of those who actually use PGP, you will have to gain some firsthand experience. There is no point in "defending" carburation to someone who suspects that cars don't actually work. Take a ride and see for yourself. When you're satisfied, then by all means tinker with the carburettor, if it will satisfy your curiosity.

>I might note that when he says in riposte (to my desire for a solution >that would travel with the document), "Wouldn't this be like signing a >cheque twice and trying to impress the >recipient with the undoubted similarity between the two signatures?", it >seems to me he is describing what we used to call traveller's checks, which >indeed work on precisely that principle, providing all the benefits of >verification and none of the problems of third-party connections.

I meant, as I think you realize, signing a cheque twice in front of the recipient, instead of signing it once and presenting a "cheque card" or other form of (previously) signed ID. A traveller's cheque, as far as I remember, must first be signed in front of a bank cashier -- this is the "third-party connection" and it is certainly not without problems (for a start, you can't leave the bank without signing each and every cheque). A signed ID card is simpler, especially if -- as is the case with the PGP equivalent (your public key) -- it can be freely copied and handed out to all and sundry, allowing them to authenticate materials that aren't necessarily received directy from the author's own hand.

>To summarize: I have no argument with AA's endorsing PGP as a tool for what >it's good for, but he hasn't demonstrated why it's good for long-term >integrity (not security; two different things). Again, he even seems to >disagree with my pusillanimous conclusion that we need large-scale tests of >various systems (including PGP and time-stamping) on usefulness for integrity >over long times on the human scale; I can't imagine why he does. --pg

As you will see from by brief synopsis, one of PGP's two main functions is to assure integrity and enable authentication. I thought this would have been clear when I suggested it as a reliable, affordable and widely used method of appending digital signatures to e-texts, etc. It works. Why set up a committee to see whether the wheel will stand the test of time?

Andrew Armour Keio University