[Pine-info] getross - email privacy /security of system

[Curt Sampson]

On Thu, 9 Nov 2006, Ross wrote:


> And you provided a good demonstration. With added signatures for 

> verification, it would fly.


I think you misunderstand slightly, or I'm misunderstanding you.

No 'added" signatures are necessary, unless you want a witness that
it was really me who encrypted it. That someone with the key 25808B3A
signed that document is indisputable. The only question is, do you
believe that that person is the same one identified by the string "Curt
Sampson <cjs at cynic.net>"? For that, you look not at the document itself,
but at the signatures on a copy of the public key, one copy of which you
can examine at

     http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x25808B3A


> You said "easy enough" & now you say "not so hot". Negative vibes man.


What I meant by "easy enough" is that we don't need new technology or
systems to implment what you wanted. By not so hot I mean we need better
interfaces into the existing system.


> Complexity can be eliminated by building a transparent design. Just type the 

> message you want to send, press control-x(in Pine), select Y/N to encrypt, 

> enter encryption required passphrase/key, & enter to finish.


Unfortunately, the complexity cannot be eliminated. The one part you've
described is easy, but you've ignored the issues of how that person
sending the mail has managed his key and, more particularly for this one
exchange, how the receive verifies the identity of the sender.

Fact is, if people were generally good at that latter operation, we
wouldn't have phishing scams.

cjs
-- 
Curt Sampson            <cjs at cynic.net>             +81 90 7737 2974
   The power of accurate observation is commonly called cynicism
   by those who have not got it.    --George Bernard Shaw