Re: why bother signing? (was Re: What email encryption is actually in use?)
> There have been episodes of spoofing on this list. If client > side encryption "just worked", and if what is considerably more > difficult, checking the signatures "just worked", there would > be no bother, hence it would be rational to sign Not "just work" but "opt out" is what you are looking for. If there are n posters to the list and m people signing, then their are only n-m spoof targets. As m approaches n, the number of forgeries rapidly approaches zero as there is no one left worth spoofing who can be spoofed. But as each individuals chance of being spoofed approaches zero, the benefit gained by signing also approaches zero. Consequently unless there are additional costs to non-signing above and beyond spoof protection there will always be a substantial number of unsigned messages. -- Julian Assange|If you want to build a ship, don't drum up people |together to collect wood or assign them tasks and [EMAIL PROTECTED] |work, but rather teach them to long for the endless [EMAIL PROTECTED] |immensity of the sea. -- Antoine de Saint Exupery
Re: why bother signing? (was Re: What email encryption is actually in use?)
at Friday, October 04, 2002 9:07 PM, Major Variola (ret) <[EMAIL PROTECTED]> was seen to say: > In an environment where spoofing was common, folks would > sign (which is not incompatible with retaining anonymity, of course). It *is* possible to sign in the name of a nym; there is no reason why a nym can't build an independent reputation without having a known "handler"
Re: why bother signing?
On Saturday 05 October 2002 07:34, Ben Laurie wrote: > Ben Laurie wrote: > > On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote: > >>But Ben is not spoofed here! > > > > He is now. > > > > > > Cheers, > > > > Ben. > > I will confirm this as a (detectable) spoof :-) > > Cheers, > > Ben. Ah, but how do we know that that wasn't the spoofer "confirming" his own spoof? (That's not an entirely joking question. Not enough headers make it through the mailing list and my ISP for me to tell the difference b between the two "Ben Laurie" messages cited above.) -- Steve FurlongComputer Condottiere Have GNU, Will Travel Vote Idiotarian --- it's easier than thinking
Re: why bother signing? (was Re: What email encryption is actually in use?)
Ben Laurie wrote: > On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote: > >>At 04:45 PM 10/3/02 -0700, James A. Donald wrote: >> >>> -- >>>James A. Donald wrote: >>> >If we had client side encryption that "just works" we would >be seeing a few more signed messages on this list, >>>Ben Laurie wrote: >>> Why would I want to sign a message to this list? >>> >>>Then all the people who read this list, were they to receive a >>>communication from you, they would know it was the same Ben >>>Laurie who posts to this list. >> >>But Ben is not spoofed here! > > > > He is now. > > > Cheers, > > Ben. I will confirm this as a (detectable) spoof :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: why bother signing? (was Re: What email encryption is actually in use?)
James A. Donald: > >> > If we had client side encryption that "just works" we > >> > would be seeing a few more signed messages on this list, Major Variola (ret): > But Ben is not spoofed here! So there is little motivation. > > [...] > > In the absence of any need, its not rational to bother. There have been episodes of spoofing on this list. If client side encryption "just worked", and if what is considerably more difficult, checking the signatures "just worked", there would be no bother, hence it would be rational to sign --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG j35pZ93cRp46pIhaD4AQ0X3neQjPEV2l9JrKJ2L2 4Eto77muLU+n+EF8nNrcbcSAMw1Vtdttyl1600R9x
Re: why bother signing? (was Re: What email encryption is actually in use?)
On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote: > At 04:45 PM 10/3/02 -0700, James A. Donald wrote: > >-- > >James A. Donald wrote: > >> > If we had client side encryption that "just works" we would > >> > be seeing a few more signed messages on this list, > > >Ben Laurie wrote: > >> Why would I want to sign a message to this list? > > > >Then all the people who read this list, were they to receive a > >communication from you, they would know it was the same Ben > >Laurie who posts to this list. > > But Ben is not spoofed here! He is now. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
why bother signing? (was Re: What email encryption is actually in use?)
At 04:45 PM 10/3/02 -0700, James A. Donald wrote: >-- >James A. Donald wrote: >> > If we had client side encryption that "just works" we would >> > be seeing a few more signed messages on this list, >Ben Laurie wrote: >> Why would I want to sign a message to this list? > >Then all the people who read this list, were they to receive a >communication from you, they would know it was the same Ben >Laurie who posts to this list. But Ben is not spoofed here! So there is little motivation. In an environment where spoofing was common, folks would sign (which is not incompatible with retaining anonymity, of course). You could also sign anonymous statements here which you might decide to bind to one of your identities later. In the absence of any need, its not rational to bother.
