Re: Compiling GnuPG problem
On Wed, 1 Feb 2012 07:23, themuslimagor...@gmail.com said: compress.c:34:18: fatal error: zlib.h: No such file or directory compilation terminated. You need to install zlib development files. On a Debian system this is the package zlib1g-dev. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the not-dash-escaped option
On Tue, 31 Jan 2012 23:29, paul.hart...@gmail.com said: It's still missing the trailing space, assuming you put one there in the first place... many people don't realize it's supposed to be there. The best way to make sure that it does not get removed is by using QP encoding. (--=20\n). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] The issue of the unwelcome CC
Hi, Let me quote from the Gnus manual, which explains how some think it should be handled. Sometimes while posting to mailing lists, the poster needs to direct followups to the post to specific places. The Mail-Followup-To (MFT) was created to enable just this. Three example scenarios where this is useful: * A mailing list poster can use MFT to express that responses should be sent to just the list, and not the poster as well. This will happen if the poster is already subscribed to the list. * A mailing list poster can use MFT to express that responses should be sent to the list and the poster as well. This will happen if the poster is not subscribed to the list. * If a message is posted to several mailing lists, MFT may also be used to direct the following discussion to one list only, because discussions that are spread over several lists tend to be fragmented and very difficult to follow. Gnus honors the MFT header in other's messages (i.e. while following up to someone else's post) and also provides support for generating sensible MFT headers for outgoing messages as well. The basic rule is that the first poster to a thread decides what to do, any later reply may change that - but only by adding CC headers. Without that rule some may miss a mail. Gnus considers a missed mail more serious than a duplicated mail. If you delay mail receiving for a a few minutes, it is possible to use the message-id to filter out the duplicates. Well, this does not work always (e.g. due to greylisting) but it has the ability to remove duplicates in many cases. For many years I used Gnus internal mail splitting which handles duplicates suppression very well. Meanwhile I switched back to procmail and a local imapd. This does not have the the full Gnus filtering and I also did not implemented the above strategy. It doesn't harm - I check my general folder for important messages and then turn to the mailing lists. By reading the mailing lists the duplicates in the general mail folder will also be marked. Salam-Shalom, Werner ps. Things which annoy me much more than CCs are: top posting, not stripping long quotes, missing to insert a was: after changing the subject, and changing the name part of the address to include the list name. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compiling GnuPG problem
Werner, Thanks for you help. I discovered a list of libraries that needed to be installed prior to GnuPG. I got that figured out, but now I'm getting a new error message: compress.c:34:18: fatal error: zlib.h: No such file or directory compilation terminated. Any ideas? Thanks again for your help and patience. Peace Davi On Tue, Jan 31, 2012 at 4:56 AM, Werner Koch w...@gnupg.org wrote: On Tue, 31 Jan 2012 06:03, themuslimagor...@gmail.com said: I successfully downloaded a package named gnupg-2.0.18.tar.bz2 from gnupg.org. Following the instructions, I successfully configured the package using the ./configure command, but when I attempted to compile he Are you sure that the configure run was successfully? Read the error messages closely. At the end of a successful run you should see a list of configure options active for the build (platform: , etc.). Most likely you missed to install or build a required dependency Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- The San Francisco Muslim Examinerhttp://www.examiner.com/muslim-in-san-francisco/davi-barker National Libertarian Examinerhttp://www.examiner.com/libertarian-in-national/davi-barker Graphic Artist at Eccentric Circle http://www.facebook.com/EccentricCircle Propagandist at Vote 4 Nobody http://www.facebook.com/Vote4Nobody ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...)
On Tue, 31 Jan 2012 20:18:44 -0800 Doug Barton articulated: Actually many of the FreeBSD lists moderate posts from non-members, but none of them outright block them. I realize that this isn't germane to your main point, but I wouldn't want the wrong information to live forever in the archives. :) Yes, many of them do; however, I was referring to only one of them, the FreeBSD Questions freebsd-questi...@freebsd.org list. I probably should have been more specific. In any case, it more than amply demonstrates my point of the uselessness of CCing on a closed list such as this one which you interestingly enough did not address although you did send me a copy via CC of this message even though I specifically asked not to receive one and have configured Mailman to not send me a CC'd copy. I am not sure why this one got through. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compiling GnuPG problem
Davi Barker wrote: Werner, Thanks for you help. I discovered a list of libraries that needed to be installed prior to GnuPG. I got that figured out, but now I'm getting a new error message: compress.c:34:18: fatal error: zlib.h: No such file or directory compilation terminated. It looks like that you still need to install some more packages before you can start on GnuPG proper. On my system (RedHat Enterprise Server), zlib.h is in /usr/include, and has come from the zlib-devel package. Ubuntu might put it in a differently-named package, but I doubt it would be too tricky to find. My system also a few other files called zlib.h, one is from the syslinux package, and the other is in kernel-devel. HTHHAND ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Mon, Jan 23, 2012 at 9:08 PM, John Clizbe j...@enigmail.net wrote: Larger and larger RSA keys aren't the solution, ECC is. The balance of power has tipped away from RSA and toward ECC. Feel free to ignore everything I've said. There's no reason you should trust me. But by all means, keep asking questions. But everything I've read agrees larger and larger RSA keys are not the path forward. I agree with you entirely, I'm just waiting for the various standards to pick it up, and for more people to use it. When many people (whose opinion I value) use and trust it, I will also. Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Mon, Jan 23, 2012 at 10:11 PM, Robert J. Hansen r...@sixdemonbag.org wrote: A lot of people like to refer to _Applied Cryptography_ or _The Handbook of Applied Cryptography_ for information on algorithms, and for very good reason: they've generally got excellent information. They are also old books. _AC_ is coming up on twenty years old, for instance, and _HoAC_ isn't much younger. At the time these books were written the jury was still out on whether ECC had firm theoretical underpinnings. Nowadays the jury is back, and ECC is generally recognized as being as reputable as RSA, DSA or Elgamal. Are you able to recommend any particular resources or books that cover ECC in a more complete and up to date fashion? Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 2/1/12 9:43 AM, Chris Poole wrote: Are you able to recommend any particular resources or books that cover ECC in a more complete and up to date fashion? Many. The real question is what level of depth you want. Googling for nsa suite b qould be a pretty good starting place, probably. The National Security Agency has approved the use of ECC for classified material as part of their Suite B cryptography package. As is the case with most government standards there is ample documentation about everything from the theoretical to the practical, although it isn't all collected in one place. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On Wed, 1 Feb 2012 15:43, li...@chrispoole.com said: Are you able to recommend any particular resources or books that cover ECC in a more complete and up to date fashion? @book{Hankerson:2003:GEC:940321, author = {Hankerson, Darrel and Menezes, Alfred J. and Vanstone, Scott}, title = {Guide to Elliptic Curve Cryptography}, year = {2003}, isbn = {038795273X}, url = {http://www.cacr.math.uwaterloo.ca/ecc/}, publisher = {Springer-Verlag New York, Inc.}, address = {Secaucus, NJ, USA}, } It is similar to the already mentioned HAC. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
Am Mittwoch, 1. Februar 2012, 01:04:57 schrieb Robert J. Hansen: It is hard for me to believe that a serious user of GnuPG does not use it for email. This sounds like a No True Scotsman fallacy. If someone uses GnuPG but not for email, does that disqualify them from being a serious user? Of course not. I just don't believe that there are many examples of this type out there. To me a serious user is one who actively signs, encrypts, and/or verifies data and knows what he is doing. He has created a key and verified at least one. Everything else seems like special use to me. Linux might account for half a percent of mindshare, so ... my prejudice is that there are about a million GnuPG users in the United States. They might not even know it, but they're part of the userbase. That's not what I would call a serious user. Counting that way some big distributors would just have to add Enigmail to their (graphical) default installation and to you the numer of Enigmail users would get boosted by a factor of 100 without any real change. (GnuPG is already on your system.) That's not true for a certain quite popular OS. How many Windows users install GnuPG without Enigmail? Given the huge difference in Linux and Windows users this affects the calculation a lot. GnuPG would still crush us with between 100,000 and 350,000 'knowing' users. Knowing is not the point to me. That's not how the world works. if/when we need to guarantee the integrity of our message The world (at least the part I am familiar with) relies (implicitely) even more on the integrity of a message than on trust. If you get an important information, question or order and have doubts about the integrity of the message then you will do some checks, no matter how much you trust. Of course, doubts are much lower today than they should be. That's how a part of online crime works. On the other hand is the proof of the integrity of a message often enough even if you do not know the person. Quite often people have to make manual signatures without being knows to the person who demands for that. Often the content is less important than the possibility to hold someone responsible for it. Another point: I get most of my (both private and professional) emails from people I know. The reach of trust has been extended, sure, but that doesn't help much when there isn't trust. Right. I would put it this way: A signature cannot raise the trust in a message content above the trust in the sender / signer. But a missing signature can (and usually will) lower the trust in the message content below the trust in the (non-proven) sender. Imagine what would've happened if Roger had sent me that as a *signed* email. In this second alternate history, MFPA sends me a signed message And which of these scenarios is more probable? Who will after starting to sign emails start to send emails to people he is not familiar with? The first szenario is an improvement for you, the second does not make a difference (except for some wasted bandwith). Leaving out the cost it would not make sense to do without signatures. time as me and posting incredibly offensive things on University forums using my name. For a while I considered signing everything, Which is BTW not so easy. Many people use webmail. And there are reasons for not importing private keys onto work PCs. I am often too lazy to plug in the smartcard reader. But in the signature I apologize for not signing the mail. ;-) And if the content was important I would use the smartcard, of course. so I could then deny making those posts. I didn't write that! I sign everything! That has a bad/missing signature! You probably wouldn't even have to because everyone who is in regular contact with you would know that. On the other hand: Signing in a web forum seems kind of extreme (and unsafe with respect to breaking the signature by automatic text formatting). :-) And then I imagined my dean answering, That proves nothing: after all, if I was posting this stuff I wouldn't sign it, either. Would not make much sense to use the name but not sign it, though. * Signatures on mailing lists are mostly (and maybe entirely) useless because of how few members have pre-existing trust relationships with others The ability to hold someone responsible for his messages (which usually requires a signature but a signature is not enough to ensure that) is not the same like trust but an important point, too. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/12 10:47 AM, Hauke Laging wrote: Of course not. I just don't believe that there are many examples of this type out there. To me a serious user is one who actively signs, encrypts, and/or verifies data and knows what he is doing. He has created a key and verified at least one. Everything else seems like special use to me. Then yes, you are selecting for email users. There are quite a lot of people who use GnuPG primarily for themselves -- for instance, a system administrator who signs each backup, a lawyer who encrypts files when in transit on a flash drive, etc. The overwhelming majority of the users you see are using email, yes, but only because email is the method by which you come to see them. Users who never announce their usage (the system administrator, the lawyer, etc.) are completely invisible to you. I can't give an estimate on the number of 'invisible' users: they're invisible to me, too. But I'm not going to believe they don't exist, or that they don't exist in good numbers. That's not what I would call a serious user. A 'serious user' is, to me, someone who will send angry emails if things break. If a program can fail and not have an immediate adverse effect on a user, the program is not important to the user and the user can be said to not be a serious user. If GnuPG breaks, a whole lot of the Linux experience breaks. You get warnings left and right about installing packages with bad signatures, important updates don't happen, etc. This will result in a lot of angry people strangling whoever is responsible for breaking their PC. Yes, this definition means that you're a serious user of your OS kernel. And why wouldn't you be? You demand your PC make thousands of kernel calls each second. Is that not serious use? Counting that way some big distributors would just have to add Enigmail to their (graphical) default installation and to you the numer of Enigmail users would get boosted by a factor of 100 without any real change. Think about what you're saying: (a) a major distro would have to ditch their email client for Thunderbird (b) a user would have to download and install Enigmail, since it's not a standard part of Thunderbird Ubuntu will be switching to Thunderbird in 12.04, apparently, so that takes care of (a). I doubt we will see a huge surge in Enigmail users as a result, though, since (b) is unchanged. As soon as both Thunderbird *and* Enigmail are part of a standard Linux installation, let me know. I'd love to know about it. Until then, I think Enigmail is going to remain a niche player. (GnuPG is already on your system.) That's not true for a certain quite popular OS. Quite in context, please. In context, that sentence obviously referred to Linux users. Quoting people out-of-context to score points is a pet peeve of mine. GnuPG would still crush us with between 100,000 and 350,000 'knowing' users. Knowing is not the point to me. Well, clearly the install base isn't the point, you've already said those aren't what you'd call 'serious users'. And if users who know of, are aware of, who pay attention to, how GnuPG works behind the scenes aren't relevant to you, then what is? Each benchmark I use to represent a class of users, you reject as being not what you're talking about, so please tell me precisely what you *are* talking about. And which of these scenarios is more probable? Who will after starting to sign emails start to send emails to people he is not familiar with? Quite a lot, apparently. There are a whole lot of people on this mailing list. I'm sending a message to all of them, including people I don't even know. Your question: Who will after starting to sign emails start to send emails to people he is not familiar with? The answer is Facebook. Google+. eHarmony. Match.com. JDate. Bear411. ChristianSingles.com. The list goes on and on and on. (Note: my mention of any service is not an endorsement. If so, I'd be a weird mess of contradictions: a nice Jewish boy who happens to be a Pentecostal bear...) People love to talk and to meet new people. You can't stop people from talking to each other. It's part of the human experience. Something about creating social connections tickles something deep in our brains. It's like a drug. It's so much part of the human experience that we do it even when it's risky and dangerous, and for those who *don't* love to talk and meet new people we hang words like misanthrope or hermit off them -- words with powerful connotations of psychological dysfunction. You probably wouldn't even have to because everyone who is in regular contact with you would know that. Yes, but that's completely irrelevant. I don't mean to be callous, but you've missed a very important point. The people who would be complaining about my conduct would be people who don't know me from the wind. *They're* the ones who would have to be persuaded I was on
Re: PGP/MIME use
On Wed, 1 Feb 2012 16:47, mailinglis...@hauke-laging.de said: That's not true for a certain quite popular OS. How many Windows users install GnuPG without Enigmail? Given the huge difference in Linux and Windows users this affects the calculation a lot. A quick data point. From March to May, after the release of Gpg4win 2.1, we had an average of more than 600 downloads per day from the primary server. That is more than 5 in 3 months. In June we even reached 800 per days. Unfortunately I don't have any newer numbers available. And there are also the users of gnupg 1.4 - I don't run statistics on ftp.gnupg.org, thus I can't tell you any numbers. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 01/02/12 16:19, Robert J. Hansen wrote: As soon as both Thunderbird *and* Enigmail are part of a standard Linux installation, let me know. I'd love to know about it. Until then, I think Enigmail is going to remain a niche player. Has there been a concerted effort to make Enigmail an integral part of Thunderbird, distributed with it? If yes, what are the reasons that it has been rejected so far? If no, why not? -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On Wed, 1 Feb 2012 17:40, gn...@lists.grepular.com said: Has there been a concerted effort to make Enigmail an integral part of Thunderbird, distributed with it? If yes, what are the reasons that it has been rejected so far? If no, why not? The Mozillas don't like OpenPGP. To them it is probably too much anarchy compared to S/SMIME. Ask the Mammon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On Wed, 01 Feb 2012 17:55:05 +0100 Werner Koch articulated: The Mozillas don't like OpenPGP. To them it is probably too much anarchy compared to S/SMIME. Ask the Mammon. Windows users prefer S/MIME. I know I use it on my Windows machines because it does not require me to install more applications. It works seamlessly in Outlook, which is probably its biggest asset. Perhaps the Mozilla folks, realizing that Microsoft users are probably its largest base audience prefer to stick with what its main constituency want. Just a guess and my own 2¢. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
gnupg-users-boun...@gnupg.org wrote on 02/01/2012 10:51:46 AM: - Message from Robert J. Hansen r...@sixdemonbag.org on Wed, 01 Feb 2012 11:19:08 -0500 - To: gnupg-users@gnupg.org Subject: Re: PGP/MIME use On 2/1/12 10:47 AM, Hauke Laging wrote: Of course not. I just don't believe that there are many examples of this type out there. To me a serious user is one who actively signs, encrypts, and/or verifies data and knows what he is doing. He has created a key and verified at least one. Everything else seems like special use to me. Then yes, you are selecting for email users. There are quite a lot of people who use GnuPG primarily for themselves -- for instance, a system administrator who signs each backup, a lawyer who encrypts files when in transit on a flash drive, etc. The overwhelming majority of the users you see are using email, yes, but only because email is the method by which you come to see them. Users who never announce their usage (the system administrator, the lawyer, etc.) are completely invisible to you. I would be one who fits in the other case. I've never signed an e-mail--no one at our organization does. (Not that I wouldn't like to, but nearly all those with whom I communicate wouldn't have any use for nor comprehension of the signature.) However, I've written scripts to routinely sign files for transmission to our bank. I would definitely count us as serious users. We would be very upset if the bank started rejecting transmissions due to the lack of a valid signature. Seeing that our bank is a very large one, I'm sure there are plenty of others who also sign their business transmissions using GPG. Michael ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/12 11:40 AM, gn...@lists.grepular.com wrote: Has there been a concerted effort to make Enigmail an integral part of Thunderbird, distributed with it? I don't know what you mean by a concerted effort. Maybe five Enigmail users count under your definition, maybe fifty: maybe two people within Mozilla, or maybe nobody has to be within Mozilla, etc. All I can say is that at various times people have tried to push for this, but so far without success. There seem to be two major reasons for this: * S/MIME is already irrelevant to the vast majority of Thunderbird users, and providing OpenPGP would just introduce a redundant irrelevant capability * Enigmail requires a binary that's not maintained by Mozilla, which is released on its own schedule, and is licensed under terms other than those Mozilla prefers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On Wed, 1 Feb 2012 18:19, je...@seibercom.net said: Windows users prefer S/MIME. I know I use it on my Windows machines because it does not require me to install more applications. It works But users need to pay their Internet tax to Verislime et al. Or, tinger with CAcert root certificates. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG asp net on web server
On Tue, 31 Jan 2012 20:20, zenobiuszbiedrzy...@poczta.onet.pl said: szyfrowanie.StartInfo.Arguments() = --recipient mail --armor --encrypt sciezka nazwa_pliku At least add --batch to the options. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On Wed, 1 Feb 2012 13:37:56 -0500 michaelquig...@theway.org articulated: However, I've written scripts to routinely sign files for transmission to our bank. Does your bank actually verify those signed documents? I have sent documents to various organizations, both signed and unsigned and never heard a word spoken from any of them regarding it. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/12 2:23 PM, Jerry wrote: Does your bank actually verify those signed documents? I can't vouch for financial institutions. I can tell you that when I was working in electronic voting, whenever I asked questions about do you verify signatures? I was always assured that yes, yes they did. Whenever I asked, when was the last time you had a bad signature? I always received an answer of either gee, look at the time, gotta go, or we've never had a bad signature on data from a real election, after all, our systems are reliable and trustworthy. From the perspective of the voting authority, if they say no we don't check signatures it undercuts confidence, therefore they always say they check signatures. If they say yeah, we had a bad sig last week, a byte got dropped somewhere, we re-sent the data and it was fine, that, too, undercuts confidence: they're admitting the system isn't perfect. I liked hearing the Gee, look at the time, gotta go answer. It seemed to be the most honest. YMMV, and banks are definitely different beasts from voting authorities. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] Apologies was: The issue of the unwelcome CC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/1/2012 04:15 AM, Werner Koch wrote: snip ps. Things which annoy me much more than CCs are: top posting, not stripping long quotes, missing to insert a was: after changing the subject, and changing the name part of the address to include the list name. I apologize for not putting the was: in when I initially posted with the changed subject line. I usually do so, in this case, however, I felt it would violate a pet peeve of my own - that is unnecessarily long (and often confusing) subject lines. I should, nevertheless, have either used that convention, or started a new thread. I want to make clear to all here: I did not intend to offend anyone, or start a flame war on this list - this is why I did not reply to the thread until now. I was only pointing out that I sometimes receive, on other lists two copies of messages addressed To: someone else CC: mailing list. I do not complain about it, as I assume it to be a problem of the MTA and not the intention of the person replying that way. Regards, Christopher Walters P.S. Those things all bother me, as well. This is why I decided to post this reply. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKZbqAAoJEJ6vdel2qM1c+fMP/1k6iKTlBWlyuTs2yNvxUlVe pZ7mHDUJWzBY+0Zue0cPsvoBoMa9JQxJn7DyJ20xfqP8yv85pHWTOp+Ce4/O8RJT CN978GlbieKVwu8vI9p6CgfKwsPg7eknVrtpyAaQ2bZzzF5c8D4U2SIWV2Gy5IuU LfgEDBY5W6qwT3zM83oFbBdqDdvGqMQyRf+bWVSgMEYCl12lDqnfb9cVcDAQ1bmr OL7siQH1DKDwpzhg7JGPXkn/NweNyzjA6vz5CNAbYdQ4U5DfFxXHzQaoGfC+pF3R R1DfqmjAZH6LYmDLbHDtxmt29dAMy0bzaU5FWEqdPsb7df8GPsjEqDs5x6aB3cBE Nw/HrTvygJDuDKmu2yjnycWP/tnh/HqApBlJvLWXOEkZUNp5pO648v89esJ6LYkM 9/U2xgzEiKAYjr73AgIUs2INt+Y6Cl11a/4pk6EgDKbdMBGebTis4pPiYmfCIdu0 w1uXWjb7y8951OfAc6BeD+rHYYukRkkxLERYdTAPkrvzHdcTRZyw72xef4cwWcVH oWk81ulo/3QW9sJ7aaIssbhHICKAmy9c6kSDaZZQwsEtyiKiIXl52Lvskbmsw1Qj b9SSxHH7Z9Ok2b5edQ+i5f3o4CvkMwOqeMFk4lFqHnRnwmb+wvvcvha7ZmaWrrfv oJKeZCF0+pq1M9gTLfuN =Xi2S -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 2:48:00 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the not-dash-escaped option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 1 February 2012 at 5:20:46 AM, in mid:ui@r78.nl, Remco Rijnders wrote: And for what it's worth... my client tells me the signature on this particular post you made is invalid. Your other posts to this list all pass the test ;-) I just tried and got good signature. Strange. - -- Best regards MFPAmailto:expires2...@rocketmail.com Two wrongs don't make a right. But three lefts do. -BEGIN PGP SIGNATURE- iQCVAwUBTymec6ipC46tDG5pAQocLAP+IaLSzxKmMBpFvwsjR9a/plg6LLOWp/N9 8rv6rxCkHaKYfJCv0SjBuZPmuGNwn0TAhre9KwhMoL7DISBd6qTnsv0xewlSEo0W uQl6MSj+8dFLLxDp8w6j1/3oTo/Lg03UKrK9nHIKDY5T9BGeZxdCipPaHxOiaupb EIfiKbW+Ju0= =O/Ew -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I thought I would start a new thread because of the thread confusion. I first want to say that I use Enigmail with Thunderbird, and check the To: and CC: lines of any replies before I send my reply to any list, to avoid people receiving unwanted private email from me. On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. In reply to the concept that it is meaningless, I will say that I feel that it adds a layer of trust (perhaps more than one, if you have one or more lines of trust to the poster) that the message was, in fact, posted by the person signing it, and that person stands behind what they say. OpenPGP's PGP/MIME vs. S/MIME: I have always used Enigmail with Thunderbird on Windows, and GNU/Linux systems (I dual boot, so I use both). I do not use S/MIME, have never done so, do not intend to start. On inline vs. PGP/MIME signed messages: I post to several lists, forums and groups. Some strip attachments, by default, and since my signature is sent as an attachment when using PGP/MIME, it is stripped from my message. Also, some of my contacts have set ups that automatically strip attachments (e.g. my signature). Therefore, I decided that it is best for all to use the plain text only type of posting and an inline signature so that everyone on all lists can at least verify that I have taken the time to install GnuPG on my system, generate a key pair with my name and email address, upload my public key to a widely used key server, and enter my passphrase to sign the message. Those are my thoughts on this matter. Sincerely, Christopher J. Walters -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKaHTAAoJEJ6vdel2qM1cWYgP+gKGcm1G3gOjVEFecqfkB4i5 opzYCazldaMcu1qz0TpeXemoZ3sgZ24T+a4i9yHgfPft6rIF6TJu23VLDYQcmUwk vCMlvNG4gpnfJIEFkIgVqdsMfzbgk6QrQWWMmwoQkiXPL50r65Ar3mZp9ROKjuOo MgSiURTPu0NodsOzTEiL85ScP4RtnkvPJQd6lPiehrqfazPVeWd+7EGPJEaTkHzR 3IM8j/3ZFYp7emkbvEu94h+kf+IfIzPy0Duow2blZKQ++T4cBDzPFDvqL0QvVXsi 8rSj5xTRFnYPCmaoj/Mbrh8v6P9SVDwD+q3EtVRgknpH6pj8dI3fJRZ0eH1EVGL+ Zq9CZdvCzYF/l+XD37Rz5lc3aXxkRRVSaG2jg+gpk3gwCjubxbrdHZxFPa66rvrU cY32XTcxMTjiWBtU1p92dHfH6cCrhFnBI/5u8pYD4q5C+PW+1cUxWksdR3Z59AKj VJIJg58WRKDV5ESEx7MiaWwIaseCJvmx8QdBaG3CaX86+HT7fOHttvmPBuh79mYn 4JIyxuvpzGq8c6dyl3IANlIdPnCq+NsTZJG6IE3jcNFLg4MIMCAFvgQNsr5qVDHl 2373Y/lF58QoDSy+6HD9WR6Sg8fz1J80JnCkzL9GahsJrklhJEdEap5QvZQ0aHt/ 69cM9sVJBC0124dE8bTN =Q1EU -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 3:34:31 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On 2/1/12 3:34 PM, Christopher J. Walters wrote: On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. In reply to the concept that it is meaningless, I will say that I feel that it adds a layer of trust (perhaps more than one, if you have one or more lines of trust to the poster) that the message was, in fact, posted by the person signing it, and that person stands behind what they say. I can't argue against a feeling. No one can. Feelings are what they are, and they are immune to the forces of reason. That said, I consider this sentiment to be a close analogue of feeling that statements given by argyle-wearing men who speak Occitan with a lisp are more trusted than statements given by others. It's crazy. It's just that it's your particular flavor of it, and I respect that. Just don't ask me to subscribe to it. :) (No perjoration is intended. We all have our own particular flavors of crazy.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the not-dash-escaped option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 1 February 2012 at 8:48:53 AM, in mid:87ehuf0wi2@vigenere.g10code.de, Werner Koch wrote: The best way to make sure that it does not get removed is by using QP encoding. (--=20\n). I'm not sure that helps me. See below. - --=20\n Best regards MFPAmailto:expires2...@rocketmail.com Put knot yore trust inn spel chequers -BEGIN PGP SIGNATURE- iQCVAwUBTymk0KipC46tDG5pAQoqdwP8CPzC5lzhYYpTkOIEeWIqPVCTKH57Wg84 ZFeZgXKXfWDnXRVVVoSQkzzDfrpA7m+AbITeWPRZR+368tI0U4VHtigWsnAyRT+1 km7DhdpzWgke+qNY4yxMF/uJG+JQMUg+6QvbhRYNmBBeKokjh6liSlIu3DXeH8w+ rpHDadHFFiE= =MW47 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...)
On 02/01/2012 03:19, Jerry wrote: In any case, it more than amply demonstrates my point of the uselessness of CCing on a closed list such as this one which you interestingly enough did not address I already addressed that issue in previous posts. Stop trying to force other people to change, and deal with what life brings. You'll live a happier life overall. :) -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/12 20:45, Robert J. Hansen wrote: On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Isn't this the whole point of the web of trust? And if somebody uses the same key to sign mail repeatedly it builds a history and an identity. It doesn't stop somebody else coming in and using a fake key, but that person can't successfully claim to be the same person who signed all the other mail. Not if the person who actually signed all of the historical mail still has access to that key and can call them out on it. I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -BEGIN PGP SIGNATURE- iQGGBAEBAgBwBQJPKakbMBSAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBF/BB/kBNf1WUxkR +gNP1NIirxIykvDZZFZfQuagWssbHncwQVpVz+rMF3W/NbmibL/BItyg3F8iufQD b6ZuyUuQ7cU5ZBLnm4SFLCdZkW/G5SCEPon5KRTJUhkl9MflBEKwt/gb3/o3W8hP 4XVvVdsM/20r2GviGHZE5h5Pu/YtAdgFetyGeQckuAIioixIDuEAE8fgHYhUSrPR 2TtVjEyq5Pk8GoUJTAQlDBAIlVr0/2YhSwwNI9DMSB/IXp+5UcU2XHciuQsvagDF 8OsOyxwHJfzM/jYPUUTmFybnnEi59lo/NQYypWDISCGbe6IyKfSIxLjHXnR+ohU9 zrT+Iy4V+SC3 =4Hyt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On 02/01/2012 13:05, gn...@lists.grepular.com wrote: On 01/02/12 20:45, Robert J. Hansen wrote: On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Isn't this the whole point of the web of trust? Different category of problems. But what does a large number of signatures from people you don't know tell you more than a single key without signatures? And if somebody uses the same key to sign mail repeatedly it builds a history and an identity. It build the *appearance* of an identity. Did you not read Robert's story of multiple people posting using the same key? It doesn't stop somebody else coming in and using a fake key, but that person can't successfully claim to be the same person who signed all the other mail. Not if the person who actually signed all of the historical mail still has access to that key and can call them out on it. This much is true, yes. I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. The only thing what you're doing proves is that at the time those things were posted someone had control of the secret key, and that the messages weren't altered after they were signed. Beyond that everything is speculation. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
Am Mittwoch, 1. Februar 2012, 19:37:56 schrieb michaelquig...@theway.org: I would be one who fits in the other case. I've never signed an e-mail--no one at our organization does. (Not that I wouldn't like to, but nearly all those with whom I communicate wouldn't have any use for nor comprehension of the signature.) However, I've written scripts to routinely sign files for transmission to our bank. I would definitely count us as serious users. And you perfectly fit the description I gave for serious users from my perspective. I'm sure there are plenty of others who also sign their business transmissions using GPG. I don't doubt that. I just don't understand why someone who has understood the concept and is capable of validating keys of others, encrypting, decrypting and signing should not use that technology for his email (neither professional nor private). The people I know who are interested in security technology are generally interested in spreading this technology (not limited to OpenPGP). Thus I assume that you are an exception, whatever your reasons may be. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On Wed, 01 Feb 2012 15:45:05 -0500 Robert J. Hansen articulated: Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. I have to agree with Robert on this one. The whole idea of signing a message in a forum such as this is more of a pseudo security concept AKA feel good belief. It doesn't hurt to do it, but its usefulness is limited to pacifying yourself into a false sense of security. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 1 Feb 2012, at 15:00, Robert J. Hansen r...@sixdemonbag.org wrote: Googling for nsa suite b qould be a pretty good starting place, probably. The National Security Agency has approved the use of ECC for classified material as part of their Suite B cryptography package. As is the case with most government standards there is ample documentation about everything from the theoretical to the practical, although it isn't all collected in one place. Thanks, I didn't realise this; it's left me with plenty of reading to do. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1024 key with 2048 subkey: how affected?
On 1 Feb 2012, at 15:41, Werner Koch w...@gnupg.org wrote: @book{Hankerson:2003:GEC:940321 Thank you, that's useful. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On Wed, 01 Feb 2012 14:40:23 -0500 Robert J. Hansen articulated: I liked hearing the Gee, look at the time, gotta go answer. It seemed to be the most honest. YMMV, and banks are definitely different beasts from voting authorities. I used to get the Gee bit to when I asked for a raise. Anyhow, I am willing to bet that most, if not all banking establishments do not verify signed mail, or if they do they want S/MIME since their user base is vastly Microsoft orientated and S/MIME is favored on that architecture. An unverified signed document is about as useful as tits on a bull. I receive from time to time a signed document on various forums that is shown as bad by my MUA (claws-mail). Usually, it is just out of date. Occasionally, I get a revoked one though. Again, it is usually due to the PEBKC phenomenon. In any case, I have never considered the signature to be of any importance in a mail forum environment. I know that some users do, and that is their right. The only problem I have is with those friggin inliners whose signature Spams up the page and makes a sig-delimiter impotent. Then, of course, there are those intellectually challenged who fail to trim out that superfluous crap before replying to it. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/12 21:12, Doug Barton wrote: Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Isn't this the whole point of the web of trust? Different category of problems. But what does a large number of signatures from people you don't know tell you more than a single key without signatures? It tells you that all of the messages were from the same identity. And if somebody uses the same key to sign mail repeatedly it builds a history and an identity. It build the *appearance* of an identity. Did you not read Robert's story of multiple people posting using the same key? IMO, it builds an *actual* identity. That multiple people chose to share the same identity in that particular story is not important. It doesn't stop somebody else coming in and using a fake key, but that person can't successfully claim to be the same person who signed all the other mail. Not if the person who actually signed all of the historical mail still has access to that key and can call them out on it. This much is true, yes. I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. The only thing what you're doing proves is that at the time those things were posted someone had control of the secret key, and that the messages weren't altered after they were signed. Beyond that everything is speculation. If you see somebody posting on another list using the same key that I've been using to post on this list, then you know it's the same person. If you come across my website and find the content on it signed by my key, you can connect my postings on this list with my website. And so on. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -BEGIN PGP SIGNATURE- iQGGBAEBAgBwBQJPKa36MBSAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBO6FB/wMB8caKnFS J+pXsFeVDfluKrUArIBK0ylq3A0xGKI5GpNZfsixUp5kgj9eK4J4EZ/qFq0wV//S TarO87SIJrljze2nhSiURsuqUARD5BC9/XpLpel3YCQSSZ8AFZRy3LHjv2GvIoAb dN5ezIR0B32R1b2pG/NyqIXWHSJzDfZORlXEiHOzVH0Lf5dBAaIx0vNQ1hx/7J5P 2j0JO4+LfM8TswfuuJBHwr3xMMWjLz4zBRxRe4FtEuUq9lCKQ7YlX0HO40S/nUOz kXNaJQHZrycFwZQVfodZLue8mzI/Ghjs/MGNMbq0T8tDUi3Fg/c4Bl34g+SXaDdG jn8iNlmdRhTX =bmhD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/1/2012 03:45 PM, Robert J. Hansen wrote: Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Nothing, true. However, I disagree with your statement that there is no way to check: one can check the headers of each message to see from where they originated. If one says it came from (my email name @ my ISP) and originated from my ISP, and the other shows a different origin, then the one showing a different origin would be suspect, while the one showing an IP address from my ISP, and showing that it came from my username, would be more able to be trusted. If neither originated from my ISP, then both are suspect. That is, unless you met the real me, verified that I am who I say I am, and signed my key - then it would add some very strong trust if you had signed one of those keys. If they both came from my ISP, and neither was signed by you or someone you trust, they would both be suspect. Before you mention it, I know that headers can be spoofed, however, I very much doubt that a troll or spammer would go to the trouble of creating a key-pair in my name to sign messages, as well as the trouble to spoof the headers. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. That is your opinion, and I can respect that. However, in showing the flaw in your argument that there is no way to check, I cannot agree with your conclusion. I could have understood and agreed with your argument if you had said: 1. I have never met you. 2. By the standard of trust I use, I have to meet you to sign your public key. 3. No one I have met, who uses my standard of trust, has signed your key. Therefore, I do not know you well enough for your signature to have any meaning to me. To simply state that the way you're going about it has some glaring and obvious flaws, when the only argument you used against it has its own flaws, does not meet my standard of logic in reasoned argument. I can't argue against a feeling. No one can. Feelings are what they are, and they are immune to the forces of reason. I am always open to logical arguments. However, in using logic alone, one must realize that two opposing logical arguments can be equally valid. As for arguing with a feeling, I see people doing that all the time and it's usually not pretty. ;) I do not believe there is *One True and Correct Answer* to this issue. I do feel it germane to point out that this IS the gnupg-users list, and if anywhere would be appropriate to sign messages, it would be here. Regards, Chris P.S. I could show a proof of concept very easily, to support my premise that the headers can be used to check which one is valid. However, it is a good deal of work for me, and it is really up to you to refute my argument. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKa7MAAoJEJ6vdel2qM1c3vwP/0IBh8EP8PuCuyhn1cS7TFoW deejwIUHz9kRObSpDPS67xml1WpsAnCvOSRzOi18csYqiMENjP8VvdwBFKCDRfh6 6T3mwDr0cnm9Va/XmJ+sPP0fItfzYpl4X6E41qvYWxZIZym5GSPUDPzTuVo7/Ae+ PhYaX0j83uSyfyJXl17fuRRVMclBX8pbKFwDxj9/uOXF+188Bub6XHiiv1YBObyj jN3EE3DA2vmBockNOhe2ol4EeOM9txVcNVLsuTp0FfbiRcYcXZb3zQFnCVzOf28Y T6JUtdHwc76pgjRbbUoQB8rG9ZN+amRxJuQHfiVuNrAJ9Q7WepLvbEhZJXmk9Y9W ho15DwRYxIIaNDsNDCfHWVbKgdnXOOOC0pIxS4/OtxAo+amH8nvbEyXeeqXbJn6U un08MzedcYJA6hifLGkR7BD9wjV4LYDb6Js9zJ8fWRTNZ5xb7sN7z3QX+to7I5XZ gkwtSAZ4P79IH9AP2HAW56i5CeB2mPRU54+9sqgtU/OaSw3ciZglvzshdtsSeFZm XAfIhllN6QZTXEXMXjs40VUk0w2ZqofwBfWMsFtUOgTUmn3LfZ+FP48j2Aqk0qg7 ImR/YN5xACD9iaFJYE8n2W3lxI63OyxqPMbJlUmp4dBP7pvAa7OfG5YBGBL5wnVV gUROQBL4nh4hZXmbQKfk =hjNc -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 4:29:53 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 1 February 2012 at 5:19:41 PM, in mid:20120201121941.5e100a23@scorpio, Jerry wrote: Windows users prefer S/MIME. Seems likely to me that the majority of Windows users use neither S/MIME nor openPGP. - -- Best regards MFPAmailto:expires2...@rocketmail.com Never lean forward to push an invisible object. -BEGIN PGP SIGNATURE- iQCVAwUBTymwH6ipC46tDG5pAQpJQwP+J8BlHs9NJg1K7hbN4mzSeYYhdCaX9g61 aHANyVvhX8kqW0O+tFNFzXOQ3O3tsjI9uhbxaOJ8mW5SkbkF2tHlGEZlSgAcghHL QvOjNMRQhf7yxHkNXCbvDT6bJtcVN02Jf0Q0AHzSfEg4K5cWP/o04puYv/iJK5K9 wrYHlw4Xldc= =I0FH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 1 February 2012 at 8:56:29 PM, in mid:4f29a6fd.8040...@dougbarton.us, Doug Barton wrote: I already addressed that issue in previous posts. Stop trying to force other people to change, and deal with what life brings. You'll live a happier life overall. :) Here here! Be liberal in what you accept, and conservative in what you send. - -- Best regards MFPAmailto:expires2...@rocketmail.com CAUTION! - Beware of Warnings! -BEGIN PGP SIGNATURE- iQCVAwUBTym0SqipC46tDG5pAQpViAQAjT6L5UgDW1nKVf6HYk+ZzSr1TOPIUBk/ T9q8Igg/5iikEYaC8Y8Dl0djvdRhn7oQhDAPmjsNnGAYzs/XpS+0KZ7sA02jhFbY P5/xgkNyPMQAJVWf/m+KB8N6zr6b+NfNW7e9Z3HzG4Y+69/QVC7LieHFEtNkVpj/ 9fJFQ3wuDQ0= =tNsg -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On 2/1/12 4:29 PM, Christopher J. Walters wrote: However, I disagree with your statement that there is no way to check: one can check the headers of each message to see from where they originated. Easily forged, and machines are too easy to compromise. This idea that an IP address is clear and convincing evidence of origin is absolute bonkers. An IP address is evidence of *routing*. Before you mention it, I know that headers can be spoofed, however, I very much doubt that a troll or spammer would go to the trouble of creating a key-pair in my name to sign messages, as well as the trouble to spoof the headers. I personally know fourteen-year-olds who would do this just for the pleasure of screwing with you. Consider Anonymous, whose stated raison d'etre is to do it all for the lulz and because none of them is as cruel as all of them. Anonymous gets in the news when it goes after big targets, but you think a bunch of technically competent high school students wouldn't direct this against a particularly hated teacher, or the designated class pariah, or...? Maybe I have a darker view of human nature than you do, that's certainly possible, but I think it's a critical mistake to apply rational-actor theory to criminals. (It's just as critical of a mistake to apply rational-actor theory to human beings. Human beings ain't rational actors.) P.S. I could show a proof of concept very easily, to support my premise that the headers can be used to check which one is valid. However, it is a good deal of work for me, and it is really up to you to refute my argument. The only way this argument can be refuted is for me to commit a felony (breaking the Computer Fraud and Abuse Act). I'll happily give a general outline of how it can be done, but I'm not going to commit a felony just to prove a point. That way lies madness. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/12 4:14 PM, Hauke Laging wrote: I just don't understand why someone who has understood the concept and is capable of validating keys of others, encrypting, decrypting and signing should not use that technology for his email. I have referred to this paper probably five times or more on this list and other lists. I really wish people would read it. I'm getting tired of answering this -- it's my least-favorite OpenPGP-related question. Shirley Gaw, Edward W. Felten, Patricia Fernandez-Kelly. Secrecy, Flagging and Paranoia: Adoption Criteria in Encrypted Email. Proceedings of CHI 2006 Conference on Human Factors in Computing Systems, 2006. http://www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On Wed, 1 Feb 2012 21:35:21 + MFPA articulated: Seems likely to me that the majority of Windows users use neither S/MIME nor openPGP. Which would equate to the majority of non-Windows users. However, of those users on MS Windows that do use a form of document signing, I believe that majority employ S/MIME, if for no other reason than it works seamlessly in MS Outlook. As I stated elsewhere, I use S/MIME on my MS Windows machines because it is just easier to do. I really, really like the KISS principal. For that very reason, on my FreeBSD based machines, I employ PGP. I see no problem with it and both work quite well. Others are certainly entitled to their own opinion. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/1/2012 04:38 PM, Robert J. Hansen wrote: I have referred to this paper probably five times or more on this list and other lists. I really wish people would read it. I'm getting tired of answering this -- it's my least-favorite OpenPGP-related question. Shirley Gaw, Edward W. Felten, Patricia Fernandez-Kelly. Secrecy, Flagging and Paranoia: Adoption Criteria in Encrypted Email. Proceedings of CHI 2006 Conference on Human Factors in Computing Systems, 2006. www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf I have read the abstract, and admit that I only skimmed the rest of that paper. I find that it is only really talking about the use of public key encryption of messages, and the human factors that lead to the decision of whether or not to encrypt messages. That is a separate topic from actually signing your message with your secret key - and is not terribly germane to public mailing lists. Since the list owner would have to deem it worth the trouble to generate a key pair for the list AND collect the public keys of each subscriber, and use software that will be able to decrypt messages sent to the list, and re-encrypt them to each subscriber. This would not significantly improve security in such a forum, and would increase the load on the system that processes mail for the list. To clarify, by public mailing list, I mean that anyone can join it and post to it. A private mailing list would mean, in this context, would be an invite-only list, where one would have to be known to the list owner and specifically invited to join. Signing, OTOH is a personal choice of each subscriber. Those who choose to do so can do so, and those who do no choose to do so, do not. Regards, Christopher J. Walters -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKbaFAAoJEJ6vdel2qM1cbsIP/1fRt03em5hHN3uQz5c+tilV cfBTItlXIVE5W6I9Xl08mhIy5KGhCG9vn0Zjx5PJn30VYneakAxNxHzQ+uqDlDa0 9A/PvzUSOoz8AO0IDEblASsU6z6iS/1xEuP1C3GXeqZcb9Rg2//UPEHwAMxvE1sG rmIMX2MUrTb2Tuy8EL20ym/VioUaqP3H/le1shNBmakS9sjgtsDooQzJX3erl64b pKD30BaBmP93WiI/r7Sxnry0jp7n8yMSpYRCzKMUWde7MNVZ+MgwBo5EVisWBBkq vh/X+uKbp/6uVSk1LXh/dpj8Sbl0Co8u+0jKudeBcGscu8Y/inuP22evKmS90XuE qGx/Mgwy+Vp05M8OwuYk8+2V/41KLNoO/IWrtWQfwDEOJSjcA2mcamYdF8jwAeOY IIW5Dapk2f5g4EciPZ1eO/SJ4227aV3PEbuceLAAy2BHSHuXIt9uTEq3SOHzxLKT vauuP/kLgra9ZZJkESoSoAY5KBHaJt3C6+jSp7KYL6UNUipto8/mH0MF/KXecUyb ZYOYSRDBlvE2/WicxZBCN0Nlwq1SQ38/zCUFyXiKnyhjiUNpBuHdOdZfrp9KWDrC Y08GgwY4WWpmwBQbP3zPM1X7iVoP2gfmcm3+1gxfm/aVkhhm22JZNdvBGId69AIe xDfh2dzEYWl+/S7oILXB =E1X7 -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 5:02:50 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/12 5:02 PM, Christopher J. Walters wrote: I have read the abstract, and admit that I only skimmed the rest of that paper. I find that it is only really talking about the use of public key encryption of messages, and the human factors that lead to the decision of whether or not to encrypt messages. Read the paper. One of the principal reasons the NGO in the study avoided using crypto was because they were concerned about appearing to outsiders as if they were paranoids with something to hide. Why do you want to sign everything? Because you want to detect if someone's tampered with your messages. What are you, some kind of paranoid who's worried about people screwing with your email? Seriously. Read the paper. It's worthwhile. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/1/2012 04:53 PM, Robert J. Hansen wrote: Easily forged, and machines are too easy to compromise. This idea that an IP address is clear and convincing evidence of origin is absolute bonkers. An IP address is evidence of *routing*. Must you resort to the ad hominem fallacy? Maybe I have a darker view of human nature than you do, that's certainly possible, but I think it's a critical mistake to apply rational-actor theory to criminals. (It's just as critical of a mistake to apply rational-actor theory to human beings. Human beings ain't rational actors.) I am not assuming that ANYONE is rational. I am merely assuming that most everyone is lazy, and would only go to that trouble if they had a personal problem with the person they are targeting. I know some teenagers who might, just for fun, but they usually target people they have a problem with. The only way this argument can be refuted is for me to commit a felony (breaking the Computer Fraud and Abuse Act). I'll happily give a general outline of how it can be done, but I'm not going to commit a felony just to prove a point. That way lies madness. Yet, you did not give that outline. I think we'll just have to agree to disagree on this one. It is already heating up, and the last thing we want here is a flame war. Regards, Christopher J. Walters P.S. I shall not add more fuel to the fire, so to speak. I stand by my decision to sign my messages, and respect your choice not to do so. I only ask the same respect from you. In the end, as all things, this is a personal choice. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKbk+AAoJEJ6vdel2qM1cvMkQAJKERTiiUpnfbdgInZ/AqsrG 5TSEH93SWD8EmARrEMhugtI91gFkxLWu27Tiy4pFIQ+phNYMOld9q5hDl3PiXHYL 2pfS4CtQ9mBopLejpJ7F+0mlADmRFCJYKBjbdlk6t63UG/Kjjr5mLvf4X9Y0bJDP UQcyzlHcblrbv+ae3jSILsSlLi56cIHfvyYB5LwXVxMc4S2erQ/c562g1G8Rb8Zb ol/o5FA36V2dNQk6xusZ8PsjdMY80gPBPUWm4NCDoeu+zBS1IdU4f+Fr8dJJfhUJ ohOM2dpDYMgqeHvbUVHWj2rcG1N8sO062ivj7e1losE2lodEDrxRDzC8PoNW4u8r BqUbAIDLoazWeI9YrwD0VCjgMl7UqPY8/QkN67PHCat0VgJ62xGzLM9HE0SlbP/i RonLvsnvi3qYTwiKKLA0qK+PQRE0p+f8NqbHTxoXmkYQHrlsQNf4aiaASaW+s2vX 8OmVrtEetCXKGLBVJktlwlg1LFtB3Qe2NsewAyJeLSQWxomiVZE7FIdwyxTYQHWm aE3qvsMLBWyo2PTQ5h4vBkIRne9jzrkqm1/mwp35IAXYHwKQn/5S2fFOzOnVJz+w p8UkRUSfibJzxIKFkuqo0FNXf2bkCqosndsX50nVFwtu5bXRY7PkUWcnYnrkQRS5 mUlvM6j3yNZcPcYUfEX6 =5hBo -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 5:14:26 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 1 February 2012 at 9:14:33 PM, in mid:201202012214.38430.mailinglis...@hauke-laging.de, Hauke Laging wrote: I just don't understand why someone who has understood the concept and is capable of validating keys of others, encrypting, decrypting and signing should not use that technology for his email (neither professional nor private). There are plenty of things people don't bother doing, despite understanding, knowledge, and capability. Why should this be different? - -- Best regards MFPAmailto:expires2...@rocketmail.com A closed mouth gathers no foot -BEGIN PGP SIGNATURE- iQCVAwUBTym6hqipC46tDG5pAQqsigP9Gh1IF9BleD9BKrPSTQgScgvRQggEo6Kg CxRnvp6ium4RgwDKmSgd70pzPeeAclLmnG+NK9WE7229vIfR3bB9HvodYk/CFtf4 WcohaA9i9WnmmExNrDLqpI5lBrj44bUUf4zJ23sV+P2jlldtxF89T1AImdl7YQC2 j4z9K9QlFaE= =l8xF -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...)
On Wed, 1 Feb 2012 21:53:06 + MFPA articulated: Here here! Be liberal in what you accept, and conservative in what you send. I will liberallyaccept a message not CC'd to me if the individual making the reply would be conservative enough not to include me on the CC line. You cannot accidentally CC someone. Most of those responding to this tread have stated that they would not CC an individual who so requested it. The over whelming majority of users on this list, and most others as well, never CC anyone because they realize it is just a waste of time, bandwidth and serves no useful purpose. There is one glaring exception who evidently thinks his CC doesn't stink. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On Wed, 01 Feb 2012 16:53:48 -0500 Robert J. Hansen articulated: Maybe I have a darker view of human nature than you do, that's certainly possible, but I think it's a critical mistake to apply rational-actor theory to criminals. (It's just as critical of a mistake to apply rational-actor theory to human beings. Human beings ain't rational actors.) Always expect the worst in people and you will never be disappointed. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
Am Mittwoch, 1. Februar 2012, 23:19:43 schrieb MFPA: I just don't understand why someone who has understood the concept and is capable of validating keys of others, encrypting, decrypting and signing should not use that technology for his email (neither professional nor private). There are plenty of things people don't bother doing, despite understanding, knowledge, and capability. Why should this be different? I give training courses about cryptography in a German party and am involved in the discussion whether and how we should use it in our administration. Thus I have some experience with (mostly) normal people (no IT geeks). My experience is that a) most people don't care at all (which probably everyone here can confirm...) b) the other ones say that it's a useful technology but they do not use it due to either their software not supporting it or (more important) their personal lack of knowledge c) I have never encountered someone saying something like I know how it works, I use it for software distribution and backups but I have never used it for email. The probable main difference to your plenty of things is that this is considered useful (for email!) by many people (many more than capable of using it). Thus it seems quite improbable to me that among those few who are capable of using it there are many who do not find it useful (for email). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
Am Mittwoch, 1. Februar 2012, 17:19:08 schrieb Robert J. Hansen: On 2/1/12 10:47 AM, Hauke Laging wrote: Of course not. I just don't believe that there are many examples of this type out there. To me a serious user is one who actively signs, encrypts, and/or verifies data and knows what he is doing. He has created a key and verified at least one. Everything else seems like special use to me. Then yes, you are selecting for email users. There are quite a lot of people who use GnuPG primarily for themselves -- for instance, a system administrator who signs each backup, a lawyer who encrypts files when in transit on a flash drive, etc. My description does not select for email users only but also covers your examples. We are not talking about primarily but about only. Yes, this definition means that you're a serious user of your OS kernel. And why wouldn't you be? You demand your PC make thousands of kernel calls each second. Is that not serious use? Depends on what you are thinking about. Of course, it is interesting to know how many kernels are out there. But it is also interesting an deserves being looked at seperately how many people have an active, planned interaction with their kernel. Something like compiling it themselves, compiling modules for it, deactivating or configuring modules, configuring the kernel via command line parameters, saving an old kernel version as fallback. (GnuPG is already on your system.) That's not true for a certain quite popular OS. Quite in context, please. In context, that sentence obviously referred to Linux users. Quoting people out-of-context to score points is a pet peeve of mine. I apologize if anyone had the impression that I used your quote wrongly (but why should I?). The point is that you said nothing about Windows which due to its market share cannot be ignored. And that has no relation to the context of your quote. And if users who know of, are aware of, who pay attention to, how GnuPG works behind the scenes aren't relevant to you, then what is? I do not see how relevance could be bound to knowing what happens if this has no influence to what happens at all. Users who need a software (whether they know that or not) are relevant to me, too. But those users are relevant for GnuPG's verification feature only because they never use anything else. To me it's important for the assessment of a user whether ot not he causes any data in the world to be changed (because he signs something, encrypts something, something is encrypted for him). One groups makes just a quantity difference to IT, the other one a quality difference. The reason why most people do not use Enigmail (or something similar) is *not* the installation of GnuPG. You can easily install GnuPG without any clue how to use it. The main reasons are the lack of felt need (whether those people on average feel a need for update rpm signature checks?) and the lack of knowledge. Thus only comparing the GnuPG users with knowledge to the Enigmail users makes sense to me. Each benchmark I use to represent a class of users, you reject as being not what you're talking about, so please tell me precisely what you *are* talking about. I already did so: This sounds like a No True Scotsman fallacy. If someone uses GnuPG but not for email, does that disqualify them from being a serious user? [...] To me a serious user is one who actively signs, encrypts, and/or verifies data and knows what he is doing. He has created a key and verified at least one. Everything else seems like special use to me. However, we are not discussing something important. You said that Enigmail users were just a small share of GnuPG users. This share depends on the part of GnuPG users considered. Obviously our opinions about that part differ but the decision who is right has no consequence at all. And which of these scenarios is more probable? Who will after starting to sign emails start to send emails to people he is not familiar with? Quite a lot, apparently. There are a whole lot of people on this mailing list. I'm sending a message to all of them, including people I don't even know. But you don't send email to this list *because* you sign your email. You don't even sign your email to this list. Your question: Who will after starting to sign emails start to send emails to people he is not familiar with? The answer is Facebook. Google+. eHarmony. Match.com. JDate. Bear411. ChristianSingles.com. The list goes on and on and on. Right. But for nearly none of those cryptography is the reason for contaction others. In other words: If email cryptography becomes more common there is no reason to expect more email from unknown people (due to this effect). The people who would be complaining about my conduct would be people who don't know me from the wind. *They're* the ones who would have to be persuaded I was on the
Re: PGP/MIME use
Am Mittwoch, 1. Februar 2012, 22:38:57 schrieb Robert J. Hansen: On 2/1/12 4:14 PM, Hauke Laging wrote: I just don't understand why someone who has understood the concept and is capable of validating keys of others, encrypting, decrypting and signing should not use that technology for his email. I have referred to this paper probably five times or more on this list and other lists. I really wish people would read it. I'm getting tired of answering this -- it's my least-favorite OpenPGP-related question. I knew that paper (due to one of your emails). I read it again now. It has quite little to do with my question. My question was NOT Why do so few people use email cryptography? But that is the question this paper wants to answer. Some points from the paper: • It is (mainly) about people not familiar with GnuPG in some context different from email. • One of the two most IT capable people being interviewed does not even know how to make signatures. • Most or even all of those users did not have an environment which creates signatures or encrypts automatically. I have not read how they did it; I assume they used some program not integrated into their email software and had to use the clipboard for transferring the data. • Most of the paper is about encryption. None of the interviewed people denied the sense of encryption in certain cases. I do not see how to get valid conclusions from non-IT people using bad software for IT people free to chose their software. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/12 5:53 PM, Hauke Laging wrote: I apologize if anyone had the impression that I used your quote wrongly (but why should I?). The point is that you said nothing about Windows which due to its market share cannot be ignored. And that has no relation to the context of your quote. Yes, I'm ignoring Windows, mostly because I have absolutely no idea where to begin estimating GnuPG users on Windows. All I can do is mutter something about wovon man nicht sprechen kann, darüber muß man schweigen and quickly change the subject. :) That said, yes, on Linux Enigmail is a niche player. The major distros ship either KDE or GNOME desktops. KDE's default mail application is KMail, and GNOME's is Evolution. Both have strong OpenPGP support. You don't need to install Thunderbird+Enigmail on those platforms to get OpenPGP support for email, so most people who want OpenPGP email don't. The reason why most people do not use Enigmail (or something similar) is *not* the installation of GnuPG. Having fielded questions from people stymied by Enigmail installation for a few years now, I disagree. I've encountered a lot of people who find it to be a significant obstacle. It was much worse in the past, but since the introduction of Windows installers for GnuPG the problems have diminished significantly. We still get a fair number of them, though. But you don't send email to this list *because* you sign your email. You don't even sign your email to this list. No, but I do sign emails. There are a fair number of people who can attest to that. I just don't sign emails to mailing lists except in unusual cases (e.g., I'm making a post to the Enigmail list in my role as a list moderator) or when I've enabled signing by accident. Right. But for nearly none of those cryptography is the reason for contaction others. In other words: If email cryptography becomes more common there is no reason to expect more email from unknown people (due to this effect). I don't understand what you're saying. If cryptography is the reason to contact someone, then I think we all need to get out more. :) I contact people to *communicate*. Cryptography is just a tool to facilitate that. OK but if someone considers his opinion about something he is not familiar with superior to the uniform opinion of some who are familiar then I would consider him an idiot. World's full of 'em. God knows I've asserted my right to be a damnfool idiot from time to time, so I'm inclined to judge them a bit more leniently. That's the sense of non-signing. What's the sense of using your name? Creating problems for yourself? Accepting those problems in order to make the offense more interesting to the public? Ask Charlie Sheen, or for that matter anyone who's ever wrestled with bipolar disorder, drug addiction, or any of a whole host of illnesses and/or conditions that can cause erratic behavior. Sometimes the software running on the gray matter just breaks and people act in weird ways. It's part of the human condition. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/1/2012 04:35 PM, MFPA wrote: Seems likely to me that the majority of Windows users use neither S/MIME nor openPGP. This is an assumption. I, personally, have a dual-boot system with a GNU/Linux OS and Windows 7. Ever since I discovered GnuPG and the OpenPGP standard, I have used them on both systems. I cannot, however, speak for the majority of Windows users, as I share the same assumption, though my support is the fallacy of leaning on personal experience. Regards, Christopher J. Walters -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKbHuAAoJEJ6vdel2qM1cPPgP/RuUigH6eie++kSCBqBdpg0y VAPrPk3Dsj9wbt6oVyeT1rpa0LDQg486p85Kw8VHkqFFjGrtCrtYsGABbCjqzfFG yug7MR37pRu9O2esy+4dU0Jd1ousYDtGDD1rwBn5V1tHdGhat9H2BGVu4EFk+ZTs /o8OtpquXQw3HGrWJ6HtSzuIZiSxrlHJ1GwGxpaMnQwQZCB7gOijg7QHWR+J9s9d otUQg8uEZwV8B6wr+in5u8Z9n+ktD0bhnQRNVoPmZWkuuKmuXLXosvduLUz8h2XJ h16UdAm0FAApQg9B/HvjvLRySGnRYpaPhQSHEekewEmX9VHTvl9aFANnhTycEOmq yDwB+8P8rUkACPqF6EDpmeq3ycimTuLrMReyi5DtVTdTqAXY/Fa3NvZkdFb0qqLA TEC5CqQZW8l/etkxSN4V52AiMLPios7FjNXjO5Ah/isATAx4Tc35hphkRoyD7RZJ rzBxB5ldwf2+zUF/kpGGwG6AoVE9HK4OGZUHY/legUdVwOJ7bjiIiy1oYdSAWVxr LVHVcHuB0gI5Py3J4cXZzS3dZj6q2Z8sqdd4AzCTDfvdVCr5Jduf0OHhTeEm6gf2 658g7oqxL+OGIWc2pkb206SLzNMwvOnCm12DuExp2PhSp3FQUq9FPncqc29OiH3t yfneEvlMz9wjRzp7Nb6b =rIRD -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 4:43:14 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/12 6:08 PM, Hauke Laging wrote: My question was NOT Why do so few people use email cryptography? But that is the question this paper wants to answer. Your statement was, I just don't understand why someone who has understood the concept[s] and is capable of [using the software] should not use that technology for his email. That's a statement, not a question: I inferred your question as, Why is it people who understand the concepts and are capable of using the software don't use it for their email? And that is, in fact, exactly the question they're answering. In this paper we try to identify additional barriers by interviewing a set of users from an organization that relies on secrecy. Our interviews demonstrate that users' attitudes about encryption, and the social significance users attach to it, are an important factor in limiting adoption. Their central finding? It's not a technological problem: it's a social one. Some points from the paper: • It is (mainly) about people not familiar with GnuPG in some context different from email. Incorrect. GnuPG is never mentioned in the paper. The NGO mentioned in the paper is PGP-only. Some of their case studies (Woodward) used PGP to encrypt files on their desktops: others (Abe) were email-only. Some were email-only (Jenny) but abandoned it, others... etc. • Most or even all of those users did not have an environment which creates signatures or encrypts automatically. Incorrect. The paper makes it clear they had plugins available to do the process automatically. In addition, [Woodward] distrusted plugins for email programs, relying on encrypting the text of a message first and copying it into his email program later. That sentence only makes sense if they had access to plugins. Further, PGP circa 2006 shipped with email plugins. Another user, Abe, used encryption to protect financial data ... [he] believed this setup was simple. From that I infer Abe had suitable tools for the task -- which is quite plausible, given we know they were using PGP. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reply-to netiquette (was [META] please start To: with gnupg-users@gnupg.org...)
Here here! Be liberal in what you accept, and conservative in what you send. Folks, at the risk of starting a new thread or steering this thread into an eddy, Postel's Law is now officially a problem. I strongly (and I mean it) urge ya'll to take a look at the one or two principal papers at langsec.org I believe they are game changing. As I said earlier on, I read my mail in a text-only legacy reader because it cannot interpret. Ditto not allowing Javascript, etc. Why? Because I refuse to honor a remote procedure call from parties I know not written in a Turing-Complete language which characteristic, if I need to say it, means that security, a variant of the halting problem, is formally undecideable. --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
Am Donnerstag, 2. Februar 2012, 00:27:04 schrieb Robert J. Hansen: Your statement was, I just don't understand why someone who has understood the concept[s] and is capable of [using the software] should not use that technology for his email. That's a statement, not a question: You are so right. You like quotation contexts, don't you? I knew that paper (due to one of your emails). I read it again now. It has quite little to do with my question. See the ? I inferred your question as, Why is it people who understand the concepts and are capable of using the software don't use it for their email? Correct. And that is, in fact, exactly the question they're answering. In this paper we try to identify additional barriers by interviewing a set of users from an organization that relies on secrecy. Our interviews demonstrate that users' attitudes about encryption, and the social significance users attach to it, are an important factor in limiting adoption. That's not even nearly the question they are answering. For none of the users they mention that he uses GnuPG-like software in a context different from email. At most one of them understands the concept (as a whole, not just a part of it, i.e. encryption). They don't say that explicitly but we have to assume that everyone else has neither understood the feature signing nor is using it. How much do these people have in common with admins and lawyers in your opinion? Their central finding? It's not a technological problem: it's a social one. I have never heard or assumed something different. Some points from the paper: • It is (mainly) about people not familiar with GnuPG in some context different from email. Incorrect. GnuPG is never mentioned in the paper. Thus we have no reason to assume that any of them is familiar with GnuPG. Our point is people familiar with GnuPG who do not use email cryptography. This is the other way round: People using email (most of them) with no information about their other background. • Most or even all of those users did not have an environment which creates signatures or encrypts automatically. Incorrect. The paper makes it clear they had plugins available to do the process automatically. In addition, [Woodward] distrusted plugins for email programs, relying on encrypting the text of a message first and copying it into his email program later. That sentence only makes sense if they had access to plugins. Further, PGP circa 2006 shipped with email plugins. No, it also makes sense reading He did not see a problem in not having a tool for automatic processing as he would not have used it anyway as he distrusted such plugins. Furthermore available is not the same like using. There are other quotes which make sense only if such plugins are NOT available: He (Abe) estimated that encrypting every e-mail message would add another hour to his workday unless it was automated. He (Abe) figured this man has an automated system for encrypting e-mail I (Jenny) think he probably has some automated system. That everything he sends gets encrypted automatically. I can’t believe he’s encrypting manually every time. But to me, it’s like—OK, if it’s automated—fine. If it was encrypted on his computer and he sent to my computer, automatically encrypted or decrypted it—fine. Then, encrypt everything you want. Arguably, some of the stigma associated with using encrypted e-mail was tied to the overhead of the system ActivistCorp used. Where appropriate, some of the process can be removed or automated. Another user, Abe, used encryption to protect financial data ... [he] believed this setup was simple. The same one saying most people see this as more work and want things simpler and I’m actually considered a “techie”. Simple is in the eye of the beholder. It may even have referred to the point that he just encrypts financial data which he regularly synchronizes with others. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
On 2/1/2012 7:30 PM, Hauke Laging wrote: Your statement was, I just don't understand why someone who has understood the concept[s] and is capable of [using the software] should not use that technology for his email. That's a statement, not a question: You are so right. You like quotation contexts, don't you? I'm afraid, Hauke, that I don't understand what you're getting at. I inferred your question as, Why is it people who understand the concepts and are capable of using the software don't use it for their email? Correct. Then you have my response to that: the paper I cited does a good job of answering that question. That's not even nearly the question they are answering. Then we disagree completely, and there's nothing more to be said. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users