[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mailing list pgp signatures...

On Sat, 2009-07-11 at 18:38 -0400, Steven W. Orr wrote:
> Hash: SHA1
> On 07/11/09 18:05, quoth David:
> If I may, I'd like to amplify on "G"'s lack of Netiquette. I am also using
> Thunderbird with the Enigmail plugin. I too have my system set up for
> "Automatically Decrypt/Verify" and was previously forced to have long delays
> every time I saw a message from him. AND I too have taken pains to have him
> filtered out of my sight.
> I am new to the use of PGP but I have studied it from the math, to the
> computer interface, to the historical and to the sociological aspects. We send
> mail via post office all the time and we sign them and seal our messages in an
> envelope. PGP is the same thing.  I can send mail and set the From line to
> Barack Obama and it's trivial to do so. Or, I can send mail out as you and
> most people wouldn't be able to tell. We all know about how big a problem
> identity theft is and yet so few of us sign our mail. That absolutely
> fascinates me. So while "G" is acting like a nitwit by not even understanding
> how his behavior is fundamentally rude, I'd like to take this opportunity to
> encourage more of you to start signing your mail. There are basically two ways
> to do it. You can either use the PGP(or GnuPG) scheme, or you can use S/MIME.
> S/MIME is better for scalability in corporations. PGP is better in public. PGP
> is free and for SMIME to properly work, you have to get a cert from some
> trusted Cert Authority (CA). For most people, that would mean Verisign, and
> for others it would mean certs that shouldn't be trusted in the first place.
> Anyways, I said what I wanted to say and you can all do what you want, but
> maybe at least a few more will be better informed, and that's really why we're
> all here.
> This message is signed, but if you read it, you'll at least be able to fetch
> my public key.
Hi, Steven,
	The point about the envelope is a good one.  It is a point I never
considered.  But g's attitude doesn't make me fond of signing, in fact
it does more to discourage users of messaging services to not use PGP or
SMIME to sign messages.  His actions slow access, disturb the flow of
work and as you pointed out is generally rude to the users of the list.
As to someone signing messages to look like him I don't see how that
could happen, because the messages would have to be signed using his
private key, unless he posted the private key as well.

	In any event, even your signature shows up as "Valid signature, but
cannot verify sender" on my evolution.  I have checked before to see
what servers are searched and it appeared correct, but since it cannot
"verify sender", what does that really tell me?  If the email were
business related I would be suspicious the first few times, then forget
about it as regards your emails, but wouldn't that weaken the process?

	In short, the problem I see with signatures right now, is the process
is not well documented, and has more players than should be necessary.
I don't know the solution, but the problems are somewhat self evident.
If I cannot decipher some sigs, and cannot verify others, then what
value is the process, and why would I add that overhead if it doesn't
bring some real benefit.  I am not trolling here, just stating the case
as I see it.  

	One might make it more robust and not pass on unregistered emails, nor
those that do not pass verification (whatever that may end up being).

	But that would be the end of spammers as they would have to register,
and be verified.  There are too many interests with cash in hand to make
that realistic.  Any thoughts?

Les H

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]