Re: why bother signing? (was Re: What email encryption is actually in use?)

2002-10-13 Thread Julian Assange

> There have been episodes of spoofing on this list.  If client
> side encryption "just worked", and if what is considerably more
> difficult, checking the signatures "just worked", there would
> be no bother, hence it would be rational to sign

Not "just work" but "opt out" is what you are looking for. If there
are n posters to the list and m people signing, then their are only
n-m spoof targets. As m approaches n, the number of forgeries
rapidly approaches zero as there is no one left worth spoofing who
can be spoofed. But as each individuals chance of being spoofed
approaches zero, the benefit gained by signing also approaches
zero. Consequently unless there are additional costs to non-signing
above and beyond spoof protection there will always be a substantial
number of unsigned messages.

--
 Julian Assange|If you want to build a ship, don't drum up people
   |together to collect wood or assign them tasks and
 [EMAIL PROTECTED]  |work, but rather teach them to long for the endless
 [EMAIL PROTECTED]  |immensity of the sea. -- Antoine de Saint Exupery




Re: why bother signing? (was Re: What email encryption is actually in use?)

2002-10-07 Thread David Howe

at Friday, October 04, 2002 9:07 PM, Major Variola (ret) <[EMAIL PROTECTED]>
was seen to say:
> In an environment where spoofing was common, folks would
> sign (which is not incompatible with retaining anonymity, of course).
It *is* possible to sign in the name of a nym; there is no reason why a
nym can't build an independent reputation without having a known
"handler"




Re: why bother signing?

2002-10-05 Thread Steve Furlong

On Saturday 05 October 2002 07:34, Ben Laurie wrote:
> Ben Laurie wrote:
> > On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote:
> >>But Ben is not spoofed here!
> >
> > He is now.
> >
> >
> > Cheers,
> >
> > Ben.
>
> I will confirm this as a (detectable) spoof :-)
>
> Cheers,
>
> Ben.

Ah, but how do we know that that wasn't the spoofer "confirming" his own 
spoof?

(That's not an entirely joking question. Not enough headers make it 
through the mailing list and my ISP for me to tell the difference b
between the two "Ben Laurie" messages cited above.)

-- 
Steve FurlongComputer Condottiere   Have GNU, Will Travel

Vote Idiotarian --- it's easier than thinking




Re: why bother signing? (was Re: What email encryption is actually in use?)

2002-10-05 Thread Ben Laurie

Ben Laurie wrote:
> On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote:
> 
>>At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
>>
>>>   --
>>>James A. Donald wrote:
>>>
>If we had client side encryption that "just works" we would
>be seeing a few more signed messages on this list,

>>>Ben Laurie wrote:
>>>
Why would I want to sign a message to this list?
>>>
>>>Then all the people who read this list, were they to receive a
>>>communication from you, they would know it was the same Ben
>>>Laurie who posts to this list.
>>
>>But Ben is not spoofed here!  
> 
> 
> 
> He is now.
> 
> 
> Cheers,
> 
> Ben.

I will confirm this as a (detectable) spoof :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff




Re: why bother signing? (was Re: What email encryption is actually in use?)

2002-10-04 Thread James A. Donald

James A. Donald:
> >> > If we had client side encryption that "just works" we
> >> > would be seeing a few more signed messages on this list,

Major Variola (ret):
> But Ben is not spoofed here!  So there is little motivation.
>
> [...]
>
> In the absence of any need, its not rational to bother.

There have been episodes of spoofing on this list.  If client
side encryption "just worked", and if what is considerably more
difficult, checking the signatures "just worked", there would
be no bother, hence it would be rational to sign

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 j35pZ93cRp46pIhaD4AQ0X3neQjPEV2l9JrKJ2L2
 4Eto77muLU+n+EF8nNrcbcSAMw1Vtdttyl1600R9x




Re: why bother signing? (was Re: What email encryption is actually in use?)

2002-10-04 Thread Ben Laurie

On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote:
> At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
> >--
> >James A. Donald wrote:
> >> > If we had client side encryption that "just works" we would
> >> > be seeing a few more signed messages on this list,
> 
> >Ben Laurie wrote:
> >> Why would I want to sign a message to this list?
> >
> >Then all the people who read this list, were they to receive a
> >communication from you, they would know it was the same Ben
> >Laurie who posts to this list.
> 
> But Ben is not spoofed here!  


He is now.


Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff




why bother signing? (was Re: What email encryption is actually in use?)

2002-10-04 Thread Major Variola (ret)

At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
>--
>James A. Donald wrote:
>> > If we had client side encryption that "just works" we would
>> > be seeing a few more signed messages on this list,

>Ben Laurie wrote:
>> Why would I want to sign a message to this list?
>
>Then all the people who read this list, were they to receive a
>communication from you, they would know it was the same Ben
>Laurie who posts to this list.

But Ben is not spoofed here!  So there is little motivation.

In an environment where spoofing was common, folks would
sign (which is not incompatible with retaining anonymity, of course).

You could also sign anonymous statements here which you might
decide to bind to one of your identities later.

In the absence of any need, its not rational to bother.