Re: On message signing and Enigmail...
On Wed, Feb 01, 2012 at 09:26:18PM +, gn...@lists.grepular.com wrote: On 01/02/12 21:12, Doug Barton wrote: I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. The only thing what you're doing proves is that at the time those things were posted someone had control of the secret key, and that the messages weren't altered after they were signed. Beyond that everything is speculation. If you see somebody posting on another list using the same key that I've been using to post on this list, then you know it's the same person. If you come across my website and find the content on it signed by my key, you can connect my postings on this list with my website. And so on. Well, no; what you know is that someone with access to the private key and passphrase did it. If someone steals your private key and passphrase, they no longer uniquely identify you. Signatures can't protect against this form of imposture. But they *can* protect against someone else simply creating another key with the same name in it. Not by themselves. But the impostor, in this case, cannot demonstrate control of your private key, and when challenged, will be shown to be lying if he claims to be the person who controls your key. This still doesn't establish that the person named in the certificate has control of the key, but use of the key to create a signature does create evidence which can be investigated. Someone could visit you in person and ask you to create a recognizable signed object in his presence using the same key. If you can, then you are a person who could have created the other signature. If there is no evidence that anyone else could have created the other signature, then there is good reason to believe that you created it, though this is not proof. Signatures also cannot establish *non*identity, since you could easily have another key and pretend you don't. If the key were somehow produced, you could pretend you don't know the passphrase, and demonstrate this any number of times by typing anything which is *not* the passphrase. This is roughly equivalent to claiming that unsigned objects don't come from you. The pattern that you establish is evidence but not proof. I would like to say that, while proof settles the matter, evidence short of proof often has value. I'm going to continue to sign every email. Besides, I'm too lazy to turn it on and off. :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpZZDLEh2fJe.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I thought I would start a new thread because of the thread confusion. I first want to say that I use Enigmail with Thunderbird, and check the To: and CC: lines of any replies before I send my reply to any list, to avoid people receiving unwanted private email from me. On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. In reply to the concept that it is meaningless, I will say that I feel that it adds a layer of trust (perhaps more than one, if you have one or more lines of trust to the poster) that the message was, in fact, posted by the person signing it, and that person stands behind what they say. OpenPGP's PGP/MIME vs. S/MIME: I have always used Enigmail with Thunderbird on Windows, and GNU/Linux systems (I dual boot, so I use both). I do not use S/MIME, have never done so, do not intend to start. On inline vs. PGP/MIME signed messages: I post to several lists, forums and groups. Some strip attachments, by default, and since my signature is sent as an attachment when using PGP/MIME, it is stripped from my message. Also, some of my contacts have set ups that automatically strip attachments (e.g. my signature). Therefore, I decided that it is best for all to use the plain text only type of posting and an inline signature so that everyone on all lists can at least verify that I have taken the time to install GnuPG on my system, generate a key pair with my name and email address, upload my public key to a widely used key server, and enter my passphrase to sign the message. Those are my thoughts on this matter. Sincerely, Christopher J. Walters -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKaHTAAoJEJ6vdel2qM1cWYgP+gKGcm1G3gOjVEFecqfkB4i5 opzYCazldaMcu1qz0TpeXemoZ3sgZ24T+a4i9yHgfPft6rIF6TJu23VLDYQcmUwk vCMlvNG4gpnfJIEFkIgVqdsMfzbgk6QrQWWMmwoQkiXPL50r65Ar3mZp9ROKjuOo MgSiURTPu0NodsOzTEiL85ScP4RtnkvPJQd6lPiehrqfazPVeWd+7EGPJEaTkHzR 3IM8j/3ZFYp7emkbvEu94h+kf+IfIzPy0Duow2blZKQ++T4cBDzPFDvqL0QvVXsi 8rSj5xTRFnYPCmaoj/Mbrh8v6P9SVDwD+q3EtVRgknpH6pj8dI3fJRZ0eH1EVGL+ Zq9CZdvCzYF/l+XD37Rz5lc3aXxkRRVSaG2jg+gpk3gwCjubxbrdHZxFPa66rvrU cY32XTcxMTjiWBtU1p92dHfH6cCrhFnBI/5u8pYD4q5C+PW+1cUxWksdR3Z59AKj VJIJg58WRKDV5ESEx7MiaWwIaseCJvmx8QdBaG3CaX86+HT7fOHttvmPBuh79mYn 4JIyxuvpzGq8c6dyl3IANlIdPnCq+NsTZJG6IE3jcNFLg4MIMCAFvgQNsr5qVDHl 2373Y/lF58QoDSy+6HD9WR6Sg8fz1J80JnCkzL9GahsJrklhJEdEap5QvZQ0aHt/ 69cM9sVJBC0124dE8bTN =Q1EU -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 3:34:31 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On 2/1/12 3:34 PM, Christopher J. Walters wrote: On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. In reply to the concept that it is meaningless, I will say that I feel that it adds a layer of trust (perhaps more than one, if you have one or more lines of trust to the poster) that the message was, in fact, posted by the person signing it, and that person stands behind what they say. I can't argue against a feeling. No one can. Feelings are what they are, and they are immune to the forces of reason. That said, I consider this sentiment to be a close analogue of feeling that statements given by argyle-wearing men who speak Occitan with a lisp are more trusted than statements given by others. It's crazy. It's just that it's your particular flavor of it, and I respect that. Just don't ask me to subscribe to it. :) (No perjoration is intended. We all have our own particular flavors of crazy.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/12 20:45, Robert J. Hansen wrote: On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Isn't this the whole point of the web of trust? And if somebody uses the same key to sign mail repeatedly it builds a history and an identity. It doesn't stop somebody else coming in and using a fake key, but that person can't successfully claim to be the same person who signed all the other mail. Not if the person who actually signed all of the historical mail still has access to that key and can call them out on it. I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -BEGIN PGP SIGNATURE- iQGGBAEBAgBwBQJPKakbMBSAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBF/BB/kBNf1WUxkR +gNP1NIirxIykvDZZFZfQuagWssbHncwQVpVz+rMF3W/NbmibL/BItyg3F8iufQD b6ZuyUuQ7cU5ZBLnm4SFLCdZkW/G5SCEPon5KRTJUhkl9MflBEKwt/gb3/o3W8hP 4XVvVdsM/20r2GviGHZE5h5Pu/YtAdgFetyGeQckuAIioixIDuEAE8fgHYhUSrPR 2TtVjEyq5Pk8GoUJTAQlDBAIlVr0/2YhSwwNI9DMSB/IXp+5UcU2XHciuQsvagDF 8OsOyxwHJfzM/jYPUUTmFybnnEi59lo/NQYypWDISCGbe6IyKfSIxLjHXnR+ohU9 zrT+Iy4V+SC3 =4Hyt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On 02/01/2012 13:05, gn...@lists.grepular.com wrote: On 01/02/12 20:45, Robert J. Hansen wrote: On the issue of signing: I do sign my messages, and have uploaded my public keys to key servers, so they are available to check that no one has changed my message. Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Isn't this the whole point of the web of trust? Different category of problems. But what does a large number of signatures from people you don't know tell you more than a single key without signatures? And if somebody uses the same key to sign mail repeatedly it builds a history and an identity. It build the *appearance* of an identity. Did you not read Robert's story of multiple people posting using the same key? It doesn't stop somebody else coming in and using a fake key, but that person can't successfully claim to be the same person who signed all the other mail. Not if the person who actually signed all of the historical mail still has access to that key and can call them out on it. This much is true, yes. I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. The only thing what you're doing proves is that at the time those things were posted someone had control of the secret key, and that the messages weren't altered after they were signed. Beyond that everything is speculation. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On Wed, 01 Feb 2012 15:45:05 -0500 Robert J. Hansen articulated: Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. I have to agree with Robert on this one. The whole idea of signing a message in a forum such as this is more of a pseudo security concept AKA feel good belief. It doesn't hurt to do it, but its usefulness is limited to pacifying yourself into a false sense of security. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/02/12 21:12, Doug Barton wrote: Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Isn't this the whole point of the web of trust? Different category of problems. But what does a large number of signatures from people you don't know tell you more than a single key without signatures? It tells you that all of the messages were from the same identity. And if somebody uses the same key to sign mail repeatedly it builds a history and an identity. It build the *appearance* of an identity. Did you not read Robert's story of multiple people posting using the same key? IMO, it builds an *actual* identity. That multiple people chose to share the same identity in that particular story is not important. It doesn't stop somebody else coming in and using a fake key, but that person can't successfully claim to be the same person who signed all the other mail. Not if the person who actually signed all of the historical mail still has access to that key and can call them out on it. This much is true, yes. I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. The only thing what you're doing proves is that at the time those things were posted someone had control of the secret key, and that the messages weren't altered after they were signed. Beyond that everything is speculation. If you see somebody posting on another list using the same key that I've been using to post on this list, then you know it's the same person. If you come across my website and find the content on it signed by my key, you can connect my postings on this list with my website. And so on. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -BEGIN PGP SIGNATURE- iQGGBAEBAgBwBQJPKa36MBSAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBO6FB/wMB8caKnFS J+pXsFeVDfluKrUArIBK0ylq3A0xGKI5GpNZfsixUp5kgj9eK4J4EZ/qFq0wV//S TarO87SIJrljze2nhSiURsuqUARD5BC9/XpLpel3YCQSSZ8AFZRy3LHjv2GvIoAb dN5ezIR0B32R1b2pG/NyqIXWHSJzDfZORlXEiHOzVH0Lf5dBAaIx0vNQ1hx/7J5P 2j0JO4+LfM8TswfuuJBHwr3xMMWjLz4zBRxRe4FtEuUq9lCKQ7YlX0HO40S/nUOz kXNaJQHZrycFwZQVfodZLue8mzI/Ghjs/MGNMbq0T8tDUi3Fg/c4Bl34g+SXaDdG jn8iNlmdRhTX =bmhD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/1/2012 03:45 PM, Robert J. Hansen wrote: Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, but that certificate's a fraud, my certificate's real!, but the Christopher Walters impersonator will say the same thing about you. There's no way to check. Nothing, true. However, I disagree with your statement that there is no way to check: one can check the headers of each message to see from where they originated. If one says it came from (my email name @ my ISP) and originated from my ISP, and the other shows a different origin, then the one showing a different origin would be suspect, while the one showing an IP address from my ISP, and showing that it came from my username, would be more able to be trusted. If neither originated from my ISP, then both are suspect. That is, unless you met the real me, verified that I am who I say I am, and signed my key - then it would add some very strong trust if you had signed one of those keys. If they both came from my ISP, and neither was signed by you or someone you trust, they would both be suspect. Before you mention it, I know that headers can be spoofed, however, I very much doubt that a troll or spammer would go to the trouble of creating a key-pair in my name to sign messages, as well as the trouble to spoof the headers. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. That is your opinion, and I can respect that. However, in showing the flaw in your argument that there is no way to check, I cannot agree with your conclusion. I could have understood and agreed with your argument if you had said: 1. I have never met you. 2. By the standard of trust I use, I have to meet you to sign your public key. 3. No one I have met, who uses my standard of trust, has signed your key. Therefore, I do not know you well enough for your signature to have any meaning to me. To simply state that the way you're going about it has some glaring and obvious flaws, when the only argument you used against it has its own flaws, does not meet my standard of logic in reasoned argument. I can't argue against a feeling. No one can. Feelings are what they are, and they are immune to the forces of reason. I am always open to logical arguments. However, in using logic alone, one must realize that two opposing logical arguments can be equally valid. As for arguing with a feeling, I see people doing that all the time and it's usually not pretty. ;) I do not believe there is *One True and Correct Answer* to this issue. I do feel it germane to point out that this IS the gnupg-users list, and if anywhere would be appropriate to sign messages, it would be here. Regards, Chris P.S. I could show a proof of concept very easily, to support my premise that the headers can be used to check which one is valid. However, it is a good deal of work for me, and it is really up to you to refute my argument. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKa7MAAoJEJ6vdel2qM1c3vwP/0IBh8EP8PuCuyhn1cS7TFoW deejwIUHz9kRObSpDPS67xml1WpsAnCvOSRzOi18csYqiMENjP8VvdwBFKCDRfh6 6T3mwDr0cnm9Va/XmJ+sPP0fItfzYpl4X6E41qvYWxZIZym5GSPUDPzTuVo7/Ae+ PhYaX0j83uSyfyJXl17fuRRVMclBX8pbKFwDxj9/uOXF+188Bub6XHiiv1YBObyj jN3EE3DA2vmBockNOhe2ol4EeOM9txVcNVLsuTp0FfbiRcYcXZb3zQFnCVzOf28Y T6JUtdHwc76pgjRbbUoQB8rG9ZN+amRxJuQHfiVuNrAJ9Q7WepLvbEhZJXmk9Y9W ho15DwRYxIIaNDsNDCfHWVbKgdnXOOOC0pIxS4/OtxAo+amH8nvbEyXeeqXbJn6U un08MzedcYJA6hifLGkR7BD9wjV4LYDb6Js9zJ8fWRTNZ5xb7sN7z3QX+to7I5XZ gkwtSAZ4P79IH9AP2HAW56i5CeB2mPRU54+9sqgtU/OaSw3ciZglvzshdtsSeFZm XAfIhllN6QZTXEXMXjs40VUk0w2ZqofwBfWMsFtUOgTUmn3LfZ+FP48j2Aqk0qg7 ImR/YN5xACD9iaFJYE8n2W3lxI63OyxqPMbJlUmp4dBP7pvAa7OfG5YBGBL5wnVV gUROQBL4nh4hZXmbQKfk =hjNc -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 4:29:53 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On 2/1/12 4:29 PM, Christopher J. Walters wrote: However, I disagree with your statement that there is no way to check: one can check the headers of each message to see from where they originated. Easily forged, and machines are too easy to compromise. This idea that an IP address is clear and convincing evidence of origin is absolute bonkers. An IP address is evidence of *routing*. Before you mention it, I know that headers can be spoofed, however, I very much doubt that a troll or spammer would go to the trouble of creating a key-pair in my name to sign messages, as well as the trouble to spoof the headers. I personally know fourteen-year-olds who would do this just for the pleasure of screwing with you. Consider Anonymous, whose stated raison d'etre is to do it all for the lulz and because none of them is as cruel as all of them. Anonymous gets in the news when it goes after big targets, but you think a bunch of technically competent high school students wouldn't direct this against a particularly hated teacher, or the designated class pariah, or...? Maybe I have a darker view of human nature than you do, that's certainly possible, but I think it's a critical mistake to apply rational-actor theory to criminals. (It's just as critical of a mistake to apply rational-actor theory to human beings. Human beings ain't rational actors.) P.S. I could show a proof of concept very easily, to support my premise that the headers can be used to check which one is valid. However, it is a good deal of work for me, and it is really up to you to refute my argument. The only way this argument can be refuted is for me to commit a felony (breaking the Computer Fraud and Abuse Act). I'll happily give a general outline of how it can be done, but I'm not going to commit a felony just to prove a point. That way lies madness. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2/1/2012 04:53 PM, Robert J. Hansen wrote: Easily forged, and machines are too easy to compromise. This idea that an IP address is clear and convincing evidence of origin is absolute bonkers. An IP address is evidence of *routing*. Must you resort to the ad hominem fallacy? Maybe I have a darker view of human nature than you do, that's certainly possible, but I think it's a critical mistake to apply rational-actor theory to criminals. (It's just as critical of a mistake to apply rational-actor theory to human beings. Human beings ain't rational actors.) I am not assuming that ANYONE is rational. I am merely assuming that most everyone is lazy, and would only go to that trouble if they had a personal problem with the person they are targeting. I know some teenagers who might, just for fun, but they usually target people they have a problem with. The only way this argument can be refuted is for me to commit a felony (breaking the Computer Fraud and Abuse Act). I'll happily give a general outline of how it can be done, but I'm not going to commit a felony just to prove a point. That way lies madness. Yet, you did not give that outline. I think we'll just have to agree to disagree on this one. It is already heating up, and the last thing we want here is a flame war. Regards, Christopher J. Walters P.S. I shall not add more fuel to the fire, so to speak. I stand by my decision to sign my messages, and respect your choice not to do so. I only ask the same respect from you. In the end, as all things, this is a personal choice. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPKbk+AAoJEJ6vdel2qM1cvMkQAJKERTiiUpnfbdgInZ/AqsrG 5TSEH93SWD8EmARrEMhugtI91gFkxLWu27Tiy4pFIQ+phNYMOld9q5hDl3PiXHYL 2pfS4CtQ9mBopLejpJ7F+0mlADmRFCJYKBjbdlk6t63UG/Kjjr5mLvf4X9Y0bJDP UQcyzlHcblrbv+ae3jSILsSlLi56cIHfvyYB5LwXVxMc4S2erQ/c562g1G8Rb8Zb ol/o5FA36V2dNQk6xusZ8PsjdMY80gPBPUWm4NCDoeu+zBS1IdU4f+Fr8dJJfhUJ ohOM2dpDYMgqeHvbUVHWj2rcG1N8sO062ivj7e1losE2lodEDrxRDzC8PoNW4u8r BqUbAIDLoazWeI9YrwD0VCjgMl7UqPY8/QkN67PHCat0VgJ62xGzLM9HE0SlbP/i RonLvsnvi3qYTwiKKLA0qK+PQRE0p+f8NqbHTxoXmkYQHrlsQNf4aiaASaW+s2vX 8OmVrtEetCXKGLBVJktlwlg1LFtB3Qe2NsewAyJeLSQWxomiVZE7FIdwyxTYQHWm aE3qvsMLBWyo2PTQ5h4vBkIRne9jzrkqm1/mwp35IAXYHwKQn/5S2fFOzOnVJz+w p8UkRUSfibJzxIKFkuqo0FNXf2bkCqosndsX50nVFwtu5bXRY7PkUWcnYnrkQRS5 mUlvM6j3yNZcPcYUfEX6 =5hBo -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 5:14:26 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On Wed, 01 Feb 2012 16:53:48 -0500 Robert J. Hansen articulated: Maybe I have a darker view of human nature than you do, that's certainly possible, but I think it's a critical mistake to apply rational-actor theory to criminals. (It's just as critical of a mistake to apply rational-actor theory to human beings. Human beings ain't rational actors.) Always expect the worst in people and you will never be disappointed. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
