-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "ozymandias" == ozymandias G desiderata <[EMAIL PROTECTED]> writes:
ozymandias> On Mon, Jul 09, 2001 at 01:23:29PM -0600, Hubert Chan wrote: Hubert> PS. If you're going to PGP-sign your messages, you might want to Hubert> upload your key to a server, so that we can check the sig. ozymandias> At this late date, I'm a little confused as to what the ozymandias> benefit of key servers are, and I'm even a little bit ozymandias> confused why people PGP / GnuPG sign their mail to mailing ozymandias> lists. As you will no doubt notice, I've gone along with ozymandias> common practice and created a GnuPG key for use with mailing ozymandias> lists and other low-trust / low-threat environments. I'm ozymandias> just not sure why. Keyservers are for distributing keys easily. It's a whole lot easier to upload once than to have people ask for your key. In addition, I'd much rather trust a key that I obtained a couple months before I needed to encrypt something to you, than if I obtained it a couple days/hours/minutes before by asking you to e-mail it to me. BTW, I don't know why people sign their mail to mailing lists (other than things like debian-security-announce). I do it because I think that all e-mail, and for that matter, all internet traffic, should be encrypted. Of course this doesn't work on a mailing list (although there is an attempt to make a mailing list where it works), and signing seems to be the next best thing. It's also a big proclamation that "I am a PGP/GnuPG user," along with my sig that says, "Please encrypt *all* e-mail to me." ;-) ozymandias> Let me explain. ozymandias> It seems to me that the use of signatures on these lists is ozymandias> to prove an association between a user and an e-mail ozymandias> address, i.e. "yes, this e-mail actually comes from the ozymandias> From: address specified in the header". No more, no ozymandias> less. Actually, it doesn't even do that, since anyone can fake a key with that e-mail address. But that's a different story... ozymandias> Unless you know me or have some other stake in knowing that ozymandias> said mail is from where it says it is, this information is ozymandias> of little use to you. If the signature checks out fine, then we don't have much information. If the signature doesn't check out, then we know that someone's doing something nasty. And it's harder to spoof a signature to an entire mailing list. Of course, no one is going to go through the effort of spoofing in a simple mailing list. So if, for whatever reason, I need to send you an encrypted message a couple years down the road, and am unable to verify your key, I would have at least one data point indicating that the key that I have is "probably" correct, if I can check your signature with it. ozymandias> Furthermore, even if you do care, there's nothing stopping ozymandias> determined attackers from inserting keys that misrepresent ozymandias> themselves into the key server -- unless you as a recipient ozymandias> decide to verify the fingerprint of my key. Since that step ozymandias> must be accomplished anyway, how much of an additional ozymandias> hassle is it to ask me for my key in the first place? Key distribution and verification is best done over two separate channels, if it's done over the Internet. One channel can be spoofed, but two channels is harder. If it's done in meatspace, fingerprint verification is a lot easier than distribution. It's easier to verify a fingerprint over the phone than to read off your key. Fingerprints can be printed on business cards, but keys cannot (unless you have a huge business card, or use a micro-dot). - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7S0mKZRhU33H9o38RAmizAJ0bpwN2B7CC55wtZKWcwsMeOoDXqACfQ3+u +RhrS9mls1t2/M61HgvD9X4= =lfT8 -----END PGP SIGNATURE-----