9.577 security & long-term preservation

Humanist (mccarty@phoenix.Princeton.EDU)
Sun, 25 Feb 1996 22:49:36 -0500 (EST)

Humanist Discussion Group, Vol. 9, No. 577.
Center for Electronic Texts in the Humanities (Princeton/Rutgers)
Information at http://www.princeton.edu/~mccarty/humanist/

[1] From: "Keith Joseph Clayton, Jr." <KJC@MHC.byu.edu> (44)
Subject: Re: 9.569 security: more on PGP

[2] From: "Peter Graham, RUL" <psgraham@gandalf.rutgers.edu> (43)
Subject: Long-term preservation is non-trivial

Date: Fri, 23 Feb 1996 09:17:22 -0700 (MST)
From: "Keith Joseph Clayton, Jr." <KJC@MHC.byu.edu>
Subject: Re: 9.569 security: more on PGP

Would it be possible for someone who is actively
familiar with and using PGP, such as yourself, could drop
me a line, on or off list, with step-by-step "How-to's" of
obtaining PGP (the program and the keys), running or using
PGP appropriately (including how to "turn it off" for
unsecured data), using keys to "decode" others' messages,
and how to discreetly inform appropriate parties of the
keys which would apply to my correspondence?
Let me simplify this request with the following explanations.
I have been interested in PGP for a long time, ever since I
heard it first discussed in a computer software review
magazine, and in countless online postings since then. I
have heard very few drawbacks to the program (except from
the governmental perspective), although I am uncertain of
the legal ramifications of obtaining PGP off of the net. If it is
possible to get all the necessary files and information to use
PGP off of the net, then why would it be offered for $50-$150
in various forms retail?
Anyway, I used WebCrawler to search the net for PGP-
related documentation. Needless to say, I was inundated
with sites and files willed with either rather complicated
computer-speak (for a neophyte like myself) which I literally
couldn't translate or interpret into English instructions, or
these files were filled with pedantic legalese, endless
caveats, and more than a comfortable share of insinuation,
allusion, disclaimer, etc.
I would like to know how PGP works, in simple, easy-to-
understand language, that I could forward to my friends and
relatives without being relegated by default into the "expert"
category (simply because it was my idea that they install it,
if for no other reason than to have someone who will be able
to decode sensitive messages from my end). As it is, I
couldn't hope to be able to answer anyone else's questions
if I can't answer my own.
I know this is a moderated list, and I hope this is an
appropriate response posting (my first to the Humanities list).
If it is not, would our esteemed moderator, Mr. McCarty,
please forward this message directly to the original
respondant of this post (or any appropriate parties he may
know) instead of to the list? I'd be very grateful! Thank you
very much!

Best Regards,

Keith J. Clayton, Jr.


Date: Sun, 25 Feb 96 12:31:06 EST
From: "Peter Graham, RUL" <psgraham@gandalf.rutgers.edu>
Subject: Long-term preservation is non-trivial

From: Peter Graham, Rutgers University Libraries

I want to respond to Andrew Armour on two different issues that he's written
on, but both on the topic of long-term preservation of information.

1. Technological preservation: AA says, i.a.,
>"...we will always be able to read HTML pages, just as we can still
read WordStar files. Encoding is not really the problem."<

Encoding is a serious problem. Word-processing programs, and therefore
texts, existed since mainframes in the '60s (I used them). One reason we have
few or no such texts from that time is that the technology is gone.
Information created on word-processors using cp/m machines in the '70s is
similarly thin on the ground. There is a kind of hubris involved in assuming
that WordStar or any other contemporary program or coding scheme will always
be around; it needs to be preserved and migrated forward through
technological changes. This is an institutional task and won't just happen;
in those terms, I disagree that this is "not...the problem." It will be a
challenge for us.

Extend the idea, by the way, past simple text. Many humanists, not to
mention people in other fields, are using other programs and coding schemes:
hypertext, drawing programs, CAD/CAM schemes, and the like. The problems in
migrating these forward are even more considerable.

2. Archives, security and PGP: AA is adamant that PGP (the privacy scheme,
involving digital signatures) has "proved itself to be more than adequate".
I'm sure that's true. But it's not the tool for the problem I'm proposing
(it's not the right hammer for this nail). His response in 9.565 notes my
first two problem presentations (change in software and multiple names) but
has no response to them.

I might note that when he says in riposte (to my desire for a solution
that would travel with the document), "Wouldn't this be like signing a
cheque twice and trying to impress the
recipient with the undoubted similarity between the two signatures?", it
seems to me he is describing what we used to call traveller's checks, which
indeed work on precisely that principle, providing all the benefits of
verification and none of the problems of third-party connections. (Clearly
forgery is possible and we've moved on from that level, but my point is that
it is not prima facie an unhelpful solution to the problem.)

To summarize: I have no argument with AA's endorsing PGP as a tool for what
it's good for, but he hasn't demonstrated why it's good for long-term
integrity (not security; two different things). Again, he even seems to
disagree with my pusillanimous conclusion that we need large-scale tests of
various systems (including PGP and time-stamping) on usefulness for integrity
over long times on the human scale; I can't imagine why he does. --pg

Peter Graham psgraham@gandalf.rutgers.edu Rutgers University Libraries
169 College Ave., New Brunswick, NJ 08903 (908)445-5908; fax (908)445-5888