Path: utzoo!attcan!uunet!decwrl!sdd.hp.com!zaphod.mps.ohio-state.edu!casbah.acns.nwu.edu!navarra
From: navarra@casbah.acns.nwu.edu (John Navarra)
Newsgroups: comp.mail.elm
Subject: Re: Two question on Elm
Message-ID: <3446@casbah.acns.nwu.edu>
Date: 12 Feb 91 09:08:29 GMT
References: <1991Feb11.021555.10503@watdragon.waterloo.edu> <363@camdev.comm.mot.com?>
Organization: Northwestern University
Lines: 46

In article <363@camdev.comm.mot.com?> mmuegel@camdev.comm.mot.com	 (Mike "Happy" Muegel) writes:

>   * A way to automatically encrypt mail with the key being the user's local
>     password. I think this would be just dandy to quickly encrypt mail. It
>     would also be more secure since you would never have to exchange keys. Is
>     this possible or does Elm use it own encryption algorithm (and not 
>     crypt())? All that would be required would be some catch that says
>     "use the user's password as the key."
>
>-Mike

       I don't think this is such a _good_ idea -- crypt, des, etc are NOT very
 secure (and I personally know some people who have decryption software lying
 around) 
	I would not like the idea of mail sent to me being encrypted with MY
 passwd!!! First of all that would mean that I would have to give out my passwd
 to a number of people (which is not recommended -- or downright not allowed)
 at some institutions. Furthermore, if you consider the number of sights that
 most mail has to go thru to get to you, which could be tampered with anywhere
 along the way -- it would not be wise to let any "bad" fellows out there have
 a chance at cracking your passwd if they knew that this was the default. And 
 since such evildoers are not necessarily close by, it is just not a good idea
 to allow someone at a remote sight possible access to your account.
	If you are not convinced, send me an encrypted message with your passwd
as the key (and don't tell me what the key is) and assuming you do not change itwithin a few days, I will get back to you with a NOT so pleasant surprise!!

Besides, I think it is MUCH more secure (and not that much of a pain) to have
a pre-arranged key or make something up that only you and the receiver would
know the answer to in the mail message.
Really, if you are that worried about people reading your mail that you encrypt
it, why would you not be worried about someone getting a hold of your passwd!


>+-----------------------------------------------------------------------------+
>| Mike Muegel                              | Internet: mmuegel@mot.com        |
>| Software Tools Group                     | UUCP:     uunet!motcid!muegel    |
>| Fort Worth Research & Development Center | Voice:    (817) 232-6129         |
>| Cellular Infrastructure Group            | Fax:      (817) 232-6081         |
>| Radio Telephone and Systems Group        | Mail:     5555 North Beach St.   |
>| Motorola, Inc.                           |           Fort Worth,  TX 76137  |
>+-----------------------------------------------------------------------------+


---------------------------
from the lab of the MaD ScIenTist:
navarra@casbah.acns.nwu.edu