Re: [Foundation-l] OT: Re: PGP-keysign at the tech/chapter-meeting
On Sat, Apr 4, 2009 at 6:37 AM, Jussi-Ville Heiskanen wrote: > Personally (even though I don't have tattoos) I think I > could give details of myself that would be somewhat > difficult to forge on short notice. The index finger of > my right hand sports a completely healed up lack > of nail. That is to say my index finger has a shrunken > leathery surface where usually there would be a nail. Okay, great. So if someone shows up with an index finger like yours, there are two possibilities: 1) Someone forged this e-mail from you that I was relying on, and the key I just signed is bogus. 2) This e-mail from you is legitimate, so the key is legitimate. But in this case, why didn't you just skip the middle-man and include the public key in your e-mail and have me sign it from there? Getting a public key from someone who you've only communicated with via e-mail can *never* be more secure than just getting the key via e-mail somehow. As far as I'm concerned, you may as well not exist in real life at all. I've only read your e-mails. Your real-life identity isn't necessary or even useful to my verification of the identity I care about, viz., your e-mail identity. The secure way to do key-signing in situations like this is to attach a GPG signature to every e-mail you send. If you attach the same public key to every single e-mail you send for a few years, then there's no question about whether the key is yours. Whoever is writing the e-mails is the one whose private key is used to sign the mail, period. If all the e-mails you've ever sent are forged, and I only know about you by reading the e-mails, then you *are* the forger as far as I'm concerned. Similarly, my identity can be verified by the fact that I've had commit access and toolserver access for a couple of years based on my private key. So you know (or at least, whoever has access to a secure list of public keys of committers or toolserver users knows) that whoever controls that private key is the one who's been doing all those commits and things, which has pretty much got to be the same person who's been posting on mailing lists and so on. *That* is secure. Key-signings are probably a fun social event, though, even if they aren't worth much from a security standpoint, so don't mind me. :) ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
[Foundation-l] Wikimania 2009: Call for Participation reminder
Just to remind you all that the Call for Participation for Wikimania 2009 closes soon. You can view the Call for Participation on the following page: http://wikimania2009.wikimedia.org/wiki/Call_for_Participation with many translations available. For more information about Wikimania 2009, see http://wikimania2009.wikimedia.org/ Regards Markie ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
[Foundation-l] Another #wikibooks meeting: April 09, 2009 21:00 UTC
>From the feedback regarding Wikibooks' last meeting, it was generally felt to be worthwhile, so I'd like to have another meeting on Thursday April 9 at 21:00UTC. That's 5PM in Philidelphia, for example. Once again, I've started a section on http://meta.wikimedia.org/wiki/Wikibooks/Community-building for this session with 2 topics to discuss: changing FlaggedRevs configuration and coordinating feedback about Collections. Hopefully people will be able to make it, especially those who couldn't last time. We'll be meeting in #wikibooks on irc.freenode.net as usual. Anyone who's interested can come - listen, participate, whatever! See you there -Mike Mike.lifeguard mikelifegu...@fastmail.fm ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
[Foundation-l] new LSS & a plea for news
Dear foundation-l, 1) summaries for March are posted: http://meta.wikimedia.org/wiki/LSS#Foundation-l 2) please, if you have some sort of community news (a big chapter or meetup group event? goings-on on your wiki? some proposal on meta we should all know about?) don't forget to post it to the mailing list, or at least to the appropriate project list. The people who write for Wikizine, the Signpost, and the other community newsletters would all appreciate it :) and personally, I love seeing what is going on with the various projects. -- phoebe -- * I use this address for lists; send personal messages to phoebe.ayers gmail.com * ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Re: [Foundation-l] Request for your input: biographies of living people
David Gerard, 30/03/2009 23:37: > The problem, of course, is that every new link or word of text on that > page lowers its utility. That "help!" page should be as sparse as > possible for user interface reasons. > > What do you all think? http://it.wikipedia.org/wiki/Aiuto:Aiuto is much lighter. Nemo ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
[Foundation-l] OT: Re: PGP-keysign at the tech/chapter-meeting
This is widely off topic, I know... Aryeh Gregor wrote: > On Wed, Apr 1, 2009 at 8:51 AM, Tim Starling wrote: > >> Private keys can be compromised by anyone with a whim and a few >> thousand dollars, either physically by compromise of the device, or >> remotely by social engineering or zero-day exploit. Key signing >> parties are premised on the idea that private keys are really private. >> Since they aren't, the additional security of a real-life meeting is >> somewhat farcical. >> > > Moreover, what's to stop someone from showing up and claiming to be > you? How are you going to confirm that -- by their telling you > they're coming and what they look like, over the Internet? Why don't > they just sign your keys over the Internet and skip the middle-man? > > Not to be negative or anything, sorry. (I'm not even going to be there.) > > Personally (even though I don't have tattoos) I think I could give details of myself that would be somewhat difficult to forge on short notice. The index finger of my right hand sports a completely healed up lack of nail. That is to say my index finger has a shrunken leathery surface where usually there would be a nail. my left wrist on the backside also has three round scars, where I have burnt them with various cigarettes and cigars, in a roughly belt of Orion pattern, and my chin has a prominent scar on the underside from when I jumped into the pool as a child, backwards, taking a seriously too short a step :-D ( I cringe every time I hear the famous quote by John Glenn :-) This story benefits from me mentioning that after the cranial shock of nearly dislocating my head from my neck, I subsequently promptly ran head first into a window that was open, and just managed to ignore the presence of, giving me a much more short lived scar on my forehead as well. Yours, Jussi-Ville Heiskanen ___ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
