[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mailing list pgp signatures...

On Sun, 2009-07-12 at 09:47 -0700, Les wrote:
> On Sat, 2009-07-11 at 18:38 -0400, Steven W. Orr wrote:
> > Hash: SHA1
> > 
> > On 07/11/09 18:05, quoth David:
> \
> > If I may, I'd like to amplify on "G"'s lack of Netiquette. I am also using
> > Thunderbird with the Enigmail plugin. I too have my system set up for
> > "Automatically Decrypt/Verify" and was previously forced to have long delays
> > every time I saw a message from him. AND I too have taken pains to have him
> > filtered out of my sight.
> > 
> > I am new to the use of PGP but I have studied it from the math, to the
> > computer interface, to the historical and to the sociological aspects. We send
> > mail via post office all the time and we sign them and seal our messages in an
> > envelope. PGP is the same thing.  I can send mail and set the From line to
> > Barack Obama and it's trivial to do so. Or, I can send mail out as you and
> > most people wouldn't be able to tell. We all know about how big a problem
> > identity theft is and yet so few of us sign our mail. That absolutely
> > fascinates me. So while "G" is acting like a nitwit by not even understanding
> > how his behavior is fundamentally rude, I'd like to take this opportunity to
> > encourage more of you to start signing your mail. There are basically two ways
> > to do it. You can either use the PGP(or GnuPG) scheme, or you can use S/MIME.
> > S/MIME is better for scalability in corporations. PGP is better in public. PGP
> > is free and for SMIME to properly work, you have to get a cert from some
> > trusted Cert Authority (CA). For most people, that would mean Verisign, and
> > for others it would mean certs that shouldn't be trusted in the first place.
> > 
> > Anyways, I said what I wanted to say and you can all do what you want, but
> > maybe at least a few more will be better informed, and that's really why we're
> > all here.
> > 
> > This message is signed, but if you read it, you'll at least be able to fetch
> > my public key.
> > 
> Hi, Steven,
> 	The point about the envelope is a good one.  It is a point I never
> considered.  But g's attitude doesn't make me fond of signing, in fact
> it does more to discourage users of messaging services to not use PGP or
> SMIME to sign messages.  His actions slow access, disturb the flow of
> work and as you pointed out is generally rude to the users of the list.
> As to someone signing messages to look like him I don't see how that
> could happen, because the messages would have to be signed using his
> private key, unless he posted the private key as well.
> 	In any event, even your signature shows up as "Valid signature, but
> cannot verify sender" on my evolution.  I have checked before to see
> what servers are searched and it appeared correct, but since it cannot
> "verify sender", what does that really tell me?  If the email were
> business related I would be suspicious the first few times, then forget
> about it as regards your emails, but wouldn't that weaken the process?
> 	In short, the problem I see with signatures right now, is the process
> is not well documented, and has more players than should be necessary.
> I don't know the solution, but the problems are somewhat self evident.
> If I cannot decipher some sigs, and cannot verify others, then what
> value is the process, and why would I add that overhead if it doesn't
> bring some real benefit.  I am not trolling here, just stating the case
> as I see it.  
> 	One might make it more robust and not pass on unregistered emails, nor
> those that do not pass verification (whatever that may end up being).
> 	But that would be the end of spammers as they would have to register,
> and be verified.  There are too many interests with cash in hand to make
> that realistic.  Any thoughts?
> Regards,
> Les H

My thought is to pgp sign my mail.

Those who know me, who have spoken to me over the phone and have
received mail from me, can save my signature from my mail and know the
mail, and any future mail with that signature, is from me.

Those who do not know me will have a valid, verified, but untrusted
signature.  If these people have a problem with my mail, they should be
able to track me down through my signature.

If one receives mail that purports to be from me, and doesn't
have a signature or does have a signature, but not my signature,
I can claim I didn't send the mail, and hopefully, the person
who created the signature can be tracked down through their
signature.  I assume the key servers keep a log indicating what Internet
address was used to register what signature and those records can be
accessed if one can get a court order.

I try to register my pgp signature with either keyserver.pgp.com
or pgp.mit.edu:11371 or subkeys.pgp.net, whichever key server seems
to be accessible at the time.  I believe, the key servers synchronize
amongst themselves so I need only register with one key server and the
rest will eventually get my signature.

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]