--
James A. Donald:
> > We have tools to construct any certificates we damn well
> > please,
Joseph Ashwood:
> The same applies everywhere, in fact in your beloved Kong,
> the situation is worse because the identities can't be
> managed.
You are unfamiliar with Kong. The situation is better, because
it is designed to be used in the fashion that all other
existing alternatives actually are used in practice.
James A. Donald:
> > I intended to sign this using Network Associates command
> > line pgp, only to discover that pgp -sa file produced
> > unintellible gibberish, that could only be made sense of by
> > pgp, so that no one would be able to read it without first
> > checking my signature.
Joseph Ashwood:
> Which would of course demonstrate once more that you have no
> clue how to use PGP. It also demonstrates what is probably
> your primary source of "I can't decrypt it" you are using a
> rather old version of PGP.
In fact my version is network associates version 6.5.8, which
can supposedly decrypt any valid pgp message, and your rant
would be considerably more impressive if you signed your
message with a PGP signature. Doubtless you could sign it --
eventually, after a bit of trying, after you had spent about as
much time farting around as I did. The proclamation that PGP
is usable would have been much more impressive in a message
that actually used it.
James A. Donald:
> > Here is a better fix, one that I implemented in Kong:
> > Define several signature types with the default signature
> > type ignoring those aspects of the message that are
> > difficult for the user to notice, so that if a message
> > looks pretty much the same to the user, it has the same
> > signature, by, for example, canonicalizing whitespace and
> > single line breaks, and treating the hard space (0xA0) the
> > same as the soft space. (0x20), and so on and so forth.
Joseph Ashwood:
> So it's going to be broken by design. These are critical
> errors that will eliminate any semblance of security in your
> program.
You are full of shit. I challenge you to fool my
canonicalization algorithm by modifying a message to as to
change the apparent meaning while preserving the signature, or
by producing a message that verifies as signed by me, while in
fact a meaningfully different message to any that was genuinely
signed by me.
Let see you doing some work to back up your empty words. The
source code for my canonicalization code is on the the net. If
you say it is broken, break it!
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
nfNdl11zVV+oWKMTt0l79zrcrelHalABSBwKeib2
4Ts9fALHrytq8hR6Dhue492m/1vO+fYHy4Kqa6dkQ
