[techtalk] html editors

Wed Mar 22 18:33:08 EST 2000

On Wed, Mar 22, 2000 at 09:29:36PM +0000, Steve Howes wrote:
> Jeff wrote:
> > Um, no.  I use it to identify myself in my email.  I personally believe
> > that we all should be using encryption in email, so we can have some
> > form of authentication.  You can get PGPi or GPG (which I will be
> > switching to in the next couple of weeks) for free -- PGPi for personal
> > use, GPG is GPL'd.
> > 
> 
> But isn't there a time and place for authentication?
> Seems a little OTT for a 'public' mailing list.

Yes there is.  It is when I send the email, which is precisely when I do
the authentication.  You see, the design of the email system is such
that this is the best method for verification of someone's identity.

It would be impossible to maintain a centralized user list somewhere,
and if you used a trust system of any sort, well, people already spoof
headers (I've done it before).  The only real workable method is to use
an encryption scheme and tack it on as a rider to the message.  PGP5
uses "PGP/MIME", which is the attachment on my emails.  PGP2 (and I
think GPG) tack on something to a message which looks like my geekcode
below.  

I'm assuming that because you asked, you don't understand public key
encryption (and if you do, my apologies, but I'm betting someone on the
list doesn't).  

I have a pair of keys that can encrypt (scramble) and decrypt
(unscramble) data.  What one can encrypt the other can decrypt.  I keep
one of them private, and the other I allow the world to see (url at the
bottom of this email).  What happens when I send an email is the text of
the message is "hashed", meaning, the characters are added together,
subtracted, bitmask'd and whatnot to produce a number (similar to
md5sum, except SHA is a better algorithm).  This number gets encrypted
with my private key, and the encrypted number is tacked onto the email.
If you wanted to verify if it is me, you grab my public key, decrypt the
signature and compare it to another SHA hash of the message.  This is
all done automatically.  All I ever see is a password prompt when I send
an email, likewise, mutt will do the checking automatically too.

I feel this important, because, yeah anonymity is nice -- and that
doesn't have to go away -- but there are times when someone needs to
know it is you who is sending the message.  Legal contracts anyone?
There is no way to sign a contract from a distance with out using dead
tree format, notorization, etc.  That and if you need to, you can
encrypt an email with my public key and send it to me, I'll be the only
person who can read that piece of mail.  

-- 
Jeff
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/M/>P d-(pu) s+:- a17>? C++(++++) L+++ UL++++@>$ P+ E--- W++@ N+ o? K++ w--- O? M V- PS+ PE(--)@ Y+@ PGP++ t+ 5 X++@ R++@ !tv@ b++ DI++++ D- G e- h! r% y?
------END GEEK CODE BLOCK------

My Public Key -- http://24.5.73.229/pubkey.txt 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 248 bytes
Desc: not available
Url : http://linuxchix.org/pipermail/techtalk/attachments/20000322/5508fb31/attachment-0001.pgp