John Buttery <[EMAIL PROTECTED]> wrote: (Sorry, that it took quite a while for me to reply -- I'm always slow on these things...)
> Well, here's my two cents for you to add to the stuff you're reading > up on. Thank you very much, I appreciate it. :-) > I encrypt every message I can (which isn't many yet, *sigh*), sign all > private mail except to the really militant dissenters (i.e. users of a > particular version of Eudora that actually locks up trying to read the > message...), and sign all list mail. Well yeah, after Feztaa demonstrated the spoofing of an email address, I begun to sign *every* mail, as well. It actually was *pretty* scary to see me -- my email address and signature -- writing that shit; for a second I even thought I was hallucinating. ;-) What comes to encrypting, that I haven't done yet (except testing it). But I know, that it's definitely coming in use one day, as some of the mails I send, are pretty damn personal and if a mail like that would end up in wrong hands... ah well, I don't even want to think about it. > My own reasons for signing all list mail are thus: > > 1) It increases awareness of cryptography as a mainstream utility. > Sometimes people ask me about it, maybe others silently look it up on > the web or consult their local nerd resource. :) This is kinda a minor > reason though. This is actually pretty good point. And I agree, cryptography should, indeed, be brought before the eyes of every data communicator, or better; every computer user whatsoever -- as it is said, "you can't be too careful". > Now let me just explicitly say that what I'm about to describe is > _not_ (there's that super-sized emphasis again) a substitute for actual > signatures on a key. This is just a suggestion for a "second-best" > procedure... > By signing all public mail, I am creating a far-flung "paper trail" on > the web and in people's mailboxes of all my signed email. What this > means is, that if someone gets a message that's signed by a key with my > name on it but has no sigs that they themselves trust, they can consult > something like Google and find its archive of 2.3 to the power of spork > messages that are signed by my public key. They can then say, OK, > whoever signed this message also signed all those other messages. A > careful examination of a cross-section of those messages may give them > some clue, maybe through speech patterns etc, that the person from all > those messages is the same one who sent the email they now have in their > inbox. Again, it's not a substitute for actual web-of-trust sigs, but > it does at least a little good in a pinch. Just the fact that there are > a zillion things out there with my sig lends it credence; after all, it > would take a lot of motivation for someone to bother creating a fake key > and then manually composing all those messages over the course of time > just to fake someone out. Yeah, you are right. Once you've sort of "shown", that you sign every goddamn mail you send, at least people should be alert, if they receive a message without signing from an address which implies the one you have. Then they can more easily deduct, that the mail they got, can be or *probably* is spoofed. As you sign every mail, people will learn that and they know to expect a signed mail from *you*. I hope you get my point; I'm a bit tired and dizzy at the moment, and my thoughts are pretty slow tonight... > Oh, and of course I also sign just to keep Rob from forging my email. > :) LOL! It was scary, now wasn't it?:-) > still haven't fixed the sig rotation script. Once you have, could you let me know -- I'd be interested too. :-) -- Jussi Ekholm <[EMAIL PROTECTED]> | Jesus is on opium, Jesus needs a fix, http://erppimaa.cjb.net/~ekhowl/ | Singing love, brother love, ekh @ IRCNet | Singing love, brother love...
msg26428/pgp00000.pgp
Description: PGP signature
