[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mailing list pgp signatures...

Hash: SHA1

On 07/12/09 12:47, quoth Les:

> Hi, Steven,
> 	The point about the envelope is a good one.  It is a point I never
> considered.  But g's attitude doesn't make me fond of signing, in fact
> it does more to discourage users of messaging services to not use PGP or
> SMIME to sign messages.  His actions slow access, disturb the flow of
> work and as you pointed out is generally rude to the users of the list.
> As to someone signing messages to look like him I don't see how that
> could happen, because the messages would have to be signed using his
> private key, unless he posted the private key as well.

I would not suggest that people be discouraged from signing because of nitwits
like G. So far, he has been the only one.

> 	In any event, even your signature shows up as "Valid signature, but
> cannot verify sender" on my evolution.  I have checked before to see
> what servers are searched and it appeared correct, but since it cannot
> "verify sender", what does that really tell me?  If the email were
> business related I would be suspicious the first few times, then forget
> about it as regards your emails, but wouldn't that weaken the process?

Correct. I don't know you and you don't know me. Maybe someday we can each
participate in a keysigning and then we will trust each other and the Web Of
Trust will grow.

> 	In short, the problem I see with signatures right now, is the process
> is not well documented, and has more players than should be necessary.
> I don't know the solution, but the problems are somewhat self evident.
> If I cannot decipher some sigs, and cannot verify others, then what
> value is the process, and why would I add that overhead if it doesn't
> bring some real benefit.  I am not trolling here, just stating the case
> as I see it.

The process is extremely well documented. Besides all of the online docs, I
recommend PGP and GPG by Michael W. Lucas. He did a nice job of it. Please
don't forget that the history of crypto is quite bloody. Lots of people have
died for this stuff. Mary Queen of Scots lost her head because of lousy
crypto. Galous was murdered by his math professors over it. Alan Turing
committed suicide in part because his government would not help him when he
was charged with homosexuality, even though he should have gotten most of the
credit for cracking the Enigma machine. And Phil Zimmerman (2 m's and 1 n
please) gets credit for putting it all together so it's simple for the common
man to use, but he spent two years being prosecuted by the Feds until someone
posted the code to Usenet.

So if you want to read Applied Crypto by Schneier then you'll see that it's
not impossible to read, but the books and docs that target Joe Q. Public are
out there.

> 	One might make it more robust and not pass on unregistered emails, nor
> those that do not pass verification (whatever that may end up being).

I made a choice to verify/decryot messages when read. A GPG plugin could be
added to spamassassin. Lots of stuff we can already do. It could get better
but not by much.

> 	But that would be the end of spammers as they would have to register,
> and be verified.  There are too many interests with cash in hand to make
> that realistic.  Any thoughts?

PGP is not about spam. It's about identity. Totally different issue.

- --
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]