[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mailing list pgp signatures...



On Mon, 2009-07-13 at 12:22 -0400, Steven W. Orr wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/12/09 19:05, quoth Rick Sewill:
> 
> > My thought is to pgp sign my mail.
> > 
> > Those who know me, who have spoken to me over the phone and have
> > received mail from me, can save my signature from my mail and know the
> > mail, and any future mail with that signature, is from me.
> 
> HOLD ON THERE BULLWINKLE!!!
> 
> Every message you send will have a different signature. Your signature is a
> function of the content of your message and your private key. It can only be
> verified using your public key. Saving a signature is of no value.
> 
> Signing a message says three things:
> 
> * You're reading a message from me, whoever I am.
> * I can never say that I never said it (non-repudiation).
> * The message is intact. It was not modified.
> 
> > Those who do not know me will have a valid, verified, but untrusted
> > signature.  If these people have a problem with my mail, they should be
> > able to track me down through my signature.
> 
> Not true. Public keys are not the same as a signature.
> 
> > If one receives mail that purports to be from me, and doesn't
> > have a signature or does have a signature, but not my signature,
> > I can claim I didn't send the mail, and hopefully, the person
> > who created the signature can be tracked down through their
> > signature.  I assume the key servers keep a log indicating what Internet
> > address was used to register what signature and those records can be
> > accessed if one can get a court order.
> 
> Not true and they do not.
> 
> - --
> Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
> happened but none stranger than this. Does your driver's license say Organ ..0
> Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
> individuals! What if this weren't a hypothetical question?
> steveo at syslang.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkpbX1sACgkQRIVy4fC+NyRk8gCgir7aIHlJg5cmeQzqQcJOhoY4
> uHIAn3v8Dzqwn4WWYExziEFnQeNVan0F
> =vcfY
> -----END PGP SIGNATURE-----
> 

I stand corrected.  I was using signature and pgp public key
interchangeably.  Shame on me.

Steve, when I click on your signature, I can extract your public DSA
public key, F0BE3724, see that it is verified, because you registered it
with the pgp servers (Thank you for registering!), but untrusted by me,
and if I wish to take further steps, I could trust what you sign.

This is a good example where we could build a trust relationship if we
took further steps.

-Rick

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]