RE: GPG testing...
This was EXACTLY my point as to why GPG/PGP for signing email is currently flawed the way it works now. Case in point: This discussion originated as a discussion about using digital signatures to counter spam. Since digital signatures, on today's Internet, are relatively uncommon, they do not provide non-repudiation. Thus, digital signatures cannot be used to prove one did not send a given spam. Now, I am sure someone will say, If you sign all your messages, then the unsigned spam will be suspect, because it lacks your digital signature. That again misses the most fundamental aspect of security: Security is entirely about trust. Someone sending illegitimate mail is, almost by definition, not to be trusted. Thus, if you are suspected of sending an illegitimate message, the fact that you nominally sign all your messages does not impart trust. Indeed, one who regularly traffics in illegitimate messages would be rather more likely to sign all their legitimate mail. Meanwhile, if you can, by other means, prove you are trustworthy, the digital signature becomes superfluous. We already know you are trustworthy; thus, we don't need a digital signature to know you did not send the illegitimate message. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
RE: GPG testing...
On Mon, 30 Dec 2002, at 8:10am, [EMAIL PROTECTED] wrote: [commentary about non-repudiation not being possible on the Internet] This was EXACTLY my point as to why GPG/PGP for signing email is currently flawed the way it works now. No, it is not flawed, either, anymore than a wrench is flawed because it makes a lousy screwdriver. It is solving a different problem. I repeat: PGP/GPG allow two parties who trust each other to exchange messages over an untrusted medium. Nothing more, and nothing less. If you assume it provides something else, the flaw is with your understanding, not with PGP/GPG. :-) On today's Internet, achieving non-repudiation is an impossibility. As long an unsigned message is acceptable and routine, people can send a message they can repudiate. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: GPG testing...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii Derek, On your key I get Signature made Mon 30 Dec 2002 01:19:00 PM EST using DSA key ID DFBEAD02 Good signature from Derek D. Martin [EMAIL PROTECTED] WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner. We signed eachothers keys last year. Did you change your key since then. - -- - -- Gerald Feldman [EMAIL PROTECTED] Boston Computer Solutions and Consulting ICQ#156300 PGP Key ID:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Exmh version 2.5 12/25/2001 iD8DBQE+EPsu+wA+1cUGHqkRAuYcAJ41RwWwT5Ew27TwoKuAFxaY3KKJugCfRNEs gHXSF4wyGWB6w1HdEKVYGqM= =WTcP -END PGP SIGNATURE- ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: GPG testing...
No, [GPG] is not flawed, either, anymore than a wrench is flawed because it makes a lousy screwdriver. Right. Funny - this all reminds me of the time when my little sister and I were presented with a pair of walkie-talkies. Our parents were initially pleased to see how much fun we had using them, but we couldn't understand why they were irritated about our wanting to use them EVERYWHERE, even at the dinner table... ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss