9.569 security: more on PGP

Humanist (mccarty@phoenix.Princeton.EDU)
Thu, 22 Feb 1996 21:01:52 -0500 (EST)

Humanist Discussion Group, Vol. 9, No. 569.
Center for Electronic Texts in the Humanities (Princeton/Rutgers)
Information at http://www.princeton.edu/~mccarty/humanist/

[1] From: Andrew Armour <armour@pncl.co.uk> (39)
Subject: Re: 9.565 archives & security

At 06:42 PM 2/21/96 -0500, Peter Graham, RUL wrote:
>Thanks to Andrew Armour for the PGP information, which I need to know more
>about. I have to say that I followed his advice and sent "MGET Armour" to
>the pgp site at MIT, and the message bounced back as an invalid request.
>Apparently they have a new set of software there, for I got two pages of
>information which seemed to be relevant, but not a key for Armour.

Sorry. As those pages explain, the software at MIT has been upgraded and one
must use GET instead of MGET now. I've now confirmed that "GET Armour"
returns my public key.

>Second problem: the implication of "MGET Armour" is that there's only one
>Armour, or perhaps a moderately finite number. Try any major research
>library catalog for common names (even Armour) and you might have a problem
>picking out who is the author (or keyholder) you want. The concept of
>authority control comes in here for you library types.

Not sure if I'm a "library type", but even though only one "Armour" seems to
be registered, it wouldn't matter if there were hundreds. PGP keys have
unique IDs.

>The solution it seems to me continues to be to have all the authentication
>information necessary traveling with the item.

Wouldn't this be like signing a cheque twice and trying to impress the
recipient with the undoubted similarity between the two signatures? Surely
something external -- such as an openly available public key -- is essential
for authentication? But perhaps I misunderstand you: it is of course
possible to send someone an e-text with internal digital signature together
with the public key required for authentication on the same floppy disk, or
attached to the same email message.

>I'm willing to admit that the niceties of this discussion might be a bit far
>afield from HUMANIST interests so it doesn't need to go on here.

Indeed. Rather than explaining all of the advantages of PGP in this forum, I
suggest that anyone interested in the use of digital signatures for
archiving should read the two .doc files that accompany PGP.

> We need some genuine testbed
>implementations on a large scale to try out the techniques--over time.

PGP has proved itself to be more than adequate over the last few years.
Allow me to repeat: it is very widely used. And it's even more reliable than
the encryption system still used by the banks (at least in Europe) for
international transfers of funds, so I'm sure we can entrust our e-texts to it.

Please give it a try. An hour or two should convince anyone.

Andrew Armour
Keio University