[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mailing list pgp signatures...





On Tue, Jul 14, 2009 at 1:03 AM, Rick Sewill <rsewill gmail com> wrote:
On Mon, 2009-07-13 at 12:22 -0400, Steven W. Orr wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/12/09 19:05, quoth Rick Sewill:
>
> > My thought is to pgp sign my mail.
> >
> > Those who know me, who have spoken to me over the phone and have
> > received mail from me, can save my signature from my mail and know the
> > mail, and any future mail with that signature, is from me.
>
> HOLD ON THERE BULLWINKLE!!!
>
> Every message you send will have a different signature. Your signature is a
> function of the content of your message and your private key. It can only be
> verified using your public key. Saving a signature is of no value.
>
> Signing a message says three things:
>
> * You're reading a message from me, whoever I am.
> * I can never say that I never said it (non-repudiation).
> * The message is intact. It was not modified.
>
> > Those who do not know me will have a valid, verified, but untrusted
> > signature.  If these people have a problem with my mail, they should be
> > able to track me down through my signature.
>
> Not true. Public keys are not the same as a signature.
>
> > If one receives mail that purports to be from me, and doesn't
> > have a signature or does have a signature, but not my signature,
> > I can claim I didn't send the mail, and hopefully, the person
> > who created the signature can be tracked down through their
> > signature.  I assume the key servers keep a log indicating what Internet
> > address was used to register what signature and those records can be
> > accessed if one can get a court order.
>
> Not true and they do not.
>
> - --
> Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
> happened but none stranger than this. Does your driver's license say Organ ..0
> Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
> individuals! What if this weren't a hypothetical question?
> steveo at syslang.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkpbX1sACgkQRIVy4fC+NyRk8gCgir7aIHlJg5cmeQzqQcJOhoY4
> uHIAn3v8Dzqwn4WWYExziEFnQeNVan0F
> =vcfY
> -----END PGP SIGNATURE-----
>

I stand corrected.  I was using signature and pgp public key
interchangeably.  Shame on me.

Steve, when I click on your signature, I can extract your public DSA
public key, F0BE3724, see that it is verified, because you registered it
with the pgp servers (Thank you for registering!), but untrusted by me,
and if I wish to take further steps, I could trust what you sign.

This is a good example where we could build a trust relationship if we
took further steps.

-Rick


--
fedora-list mailing list
fedora-list redhat com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Somehow I am disappointed to see all of this.  G does not write often but does so when he does think that it is worth offering a usefull contribution to a problem at hand.  For some to try and to tar him with the association/way of doing things such as Karl definitely is in error.  He is far more knowledgeable about Unix and Linux than Karl and has show this in his emails.  He does not write as Karl has done to complain of many issues based on incomplete understanding of Linux and specifically of Fedora.  Normally I only see G's responses when he is offering useful information to some question at hand.  I am not sure I have ever seen him complain except in response to an email (perhaps unreasonably) attacking him on some question.
He does have the support of Ann Wilson (a message long ago) and she is one that is close to the top of my list of "respected" posters to this group.  David, I do understand the basis of your complaint regarding delays caused by usage of GPG public keys which are not registered which leads to very lengthy delays, and I also can see from G's response his reasoning for his current way of sending emails to this list using a GPG signature (key offered on request (manual)).  I would be very sorry to not have the privelage of G's advice on this list as it always has been usefull and concise.... Hopefully we can all be more open minded on this question.
Fennix

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]