Re: Question regarding clearsigning emails automatically
On Saturday, December 16, 2000 (CS:6.50.351) 00:51:02 [AM] (-0800) ESP [[EMAIL PROTECTED]] wrote... As you've so kindly demonstrated, so is most list traffic. Quod Erat Demonstrandum BEG mh -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Linux - millions served - just today - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PGP signature
Re: Question regarding clearsigning emails automatically
On Saturday, December 16, 2000 (CS:6.50.351) 12:42:49 [PM] (-0600) Brian Minton [[EMAIL PROTECTED]] wrote... yes, but not completely, since at a later time, you can always produce your public key at a later time if necessary to prove that you did in fact write a given message, or that you did not. Thats not possible! If you signed a message (which you do with your private key) and i verify it with your public key (and im sure its yours) i can be sure YOU and nobody else wrote that message. If you generate a new key pair i would see that and would still have you public key. Wait a sec. you can always produce your public key at a later time Do you mean to *upload* your public key at a later time? Then you are right. I never thought about that. To upload you key later to prove you did write a message works. But you cant prove you didnt! What if you just generate a new one? This message is not from me. Thats not my public key! See! However, except for special circumstances, I can't imagine any reason not to send your public key to the keyserver, especially if you are going to be publishing (eg on a list) signed material. agree and yet you signed the message :-) see the joke there...? CYL mh -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Linux - its only limit is its physical environment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PGP signature
Re: Question regarding clearsigning emails automatically
On Sat, Dec 16, 2000 at 11:00:34PM +0100, Martin ([EMAIL PROTECTED]) wrote: On Saturday, December 16, 2000 (CS:6.50.351) 12:42:49 [PM] (-0600) Brian Minton [[EMAIL PROTECTED]] wrote... yes, but not completely, since at a later time, you can always produce your public key at a later time if necessary to prove that you did in fact write a given message, or that you did not. Thats not possible! If you signed a message (which you do with your private key) and i verify it with your public key (and im sure its yours) i can be sure YOU and nobody else wrote that message. No, you can be sure that someone that knew his passphrase and had access to his key wrote that message. It might have been him; it might have been the sysadmin of the machine poking through disk and memory. You'll note very little difference between this and using the host from which the message was sent for authentication. There's nothing about digital signatures to verify who typed the passphrase into the terminal. What you *do* know is that the message wasn't altered between signing and reading; any conclusion of authorship is based on a whole bunch of "ifs". Most of the time, the risk that those "ifs" imply is acceptable, but you don't *know*. -Rich -- -- Rich Lafferty --- Sysadmin/Programmer, Instructional and Information Technology Services Concordia University, Montreal, QC (514) 848-7625 - [EMAIL PROTECTED] --
Re: Question regarding clearsigning emails automatically
On Thursday, December 14, 2000 (CS:4.50.349) 18:08:48 [PM] (+0100) Werner Koch [[EMAIL PROTECTED]] wrote... On Thu, 14 Dec 2000, Lars Hecking wrote: IMHO signing list email is a useless and wasteful exercise, especially if the sender hasn't submitted his/her keys to the public keyservers. Well, that depends on the content of the mail. But you are right, for the bulk of ML traffic, there is no need for signing. Werner It you dont upload your key to the keyservers signing is useless and wasteful. On the other hand any signature is (mostly) a waste of bandwith! BB mh -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - No signature - Saving bandwith! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PGP signature
Re: Question regarding clearsigning emails automatically
On Thursday, December 14, 2000 (CS:4.50.349) 18:44:14 [PM] (+) Bruno Postle [[EMAIL PROTECTED]] wrote... I'm very inconsistent with signing mail (especially if I know it's going to end up being viewed in Outlook) - but really all I'm doing is OK. In Outlook the signature is shown as an atachement. But i dont know that many lusers using M$. (But thats just happy me) encouraging people to think that _sometimes_ I don't sign my mail. What this means is that next time somebody forges my identity, nobody will think it's a forgery (they will just think I forgot to sign again). Right. Call me paranoid, but i tell everyone im signing ALL my messages. If they get a message that looks like its coming from me and isnt signed, they know this message in not from me! Really, you should be signing everything or nothing. Signing only makes sense when the public key is available on the keyservers. This is a hint to everyone who posts on this list - i know there are a few who *forgot* to upload it...BG BFN mh -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you are reading this and its not signed - ITS NOT FROM ME! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PGP signature
Re: Question regarding clearsigning emails automatically
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "WK" == Werner Koch "Re: Question regarding clearsigning emails automatically" Thu, 14 Dec 2000 18:24:10 +0100 WK On Thu, 14 Dec 2000, David Champion wrote: Having the signatures come up, and my mailer and OpenPGP client freeze while I wait to download a signature that might and might not be on the WK And on a slow box (mine) it even freezes during signature WK verification. It would be much better if Mutt has an option to WK check signatures on demand and not every time you open that WK message. If you have had the experience of having nasty mail forged with your name and header sender information you will value the option of establishing the practice of _always_ signing your mail so that you can be more credible when you disclaim any unsigned mail attributed to you. I have also come to the opinion that signing all mail and eccrypting all private mail whose recipient will stand for it is not only wise self interest but also a boon to the cause of encouraging widespread acceptance and use of encryption. jam -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: OpenPGP encrypted mail preferred. See http://www.gnupg.org/ iEYEARECAAYFAjo6MPkACgkQUEvv1b/iXy8SdACfSF1LaIq7r7QFFkXf3xNLwjXa KhkAn37CV7j4SxoJz+3QlAKeVWFjyxMy =cgVj -END PGP SIGNATURE-
Re: Question regarding clearsigning emails automatically
[EMAIL PROTECTED] writes: Hi, I would first like to thank Graham, Brian, and Andrew for their responses to my question regarding clearsigning my emails. As you can see, this message is clearsigned. Please trim your lines to 72-76 chars per line. Thank you. IMHO signing list email is a useless and wasteful exercise, especially if the sender hasn't submitted his/her keys to the public keyservers. In this situation, those who have configured their encrytion software to automatically import keys from these servers are penalised.
Re: Question regarding clearsigning emails automatically
On 2000.12.14, in [EMAIL PROTECTED], "Lars Hecking" [EMAIL PROTECTED] wrote: IMHO signing list email is a useless and wasteful exercise, especially if the sender hasn't submitted his/her keys to the public keyservers. In this situation, those who have configured their encrytion software to automatically import keys from these servers are penalised. This has come up before in my conversation with others. I think that signing all mail as a policy is a waste of resources and a potential source of annoyance, whether it's list mail or not. I think that sensitive material (code patches, or authoritative announcements of new software releases, or analyses of the latest Communications Prohibition Act, and the like) ought to be signed if possible; anyone who is concerned about the validity of the message can check the signature if they like. But, by and large, it doesn't matter. I don't really care whether it was really the person I know as Lars Hecking who wrote the message I'm replying to right now. It only matters what's said in this case, and not much who said it. If I want to confirm all this, I can write to Lars and he can sign it. If I sign my mail to Lars, he'll quite possibly even sign his reply. But chances are exceedingly small that any given item of information really needs to be corroborated. Since PGP became available, I've been asked only a handful of times to resend something with a signature. I'm reluctant to believe that's only because people don't know that I have a signing key. Having the signatures come up, and my mailer and OpenPGP client freeze while I wait to download a signature that might and might not be on the server that I use, only to discover that the signed material doesn't even need validation, is somewhat irritating at times - semi-political privacy agenda or no. -- -D.[EMAIL PROTECTED]NSITUniversity of Chicago
Re: Question regarding clearsigning emails automatically
On Thu, 14 Dec 2000, David Champion wrote: Having the signatures come up, and my mailer and OpenPGP client freeze while I wait to download a signature that might and might not be on the And on a slow box (mine) it even freezes during signature verification. It would be much better if Mutt has an option to check signatures on demand and not every time you open that message. Werner
Re: Question regarding clearsigning emails automatically
On Thu, 14 Dec 2000, Lars Hecking wrote: IMHO signing list email is a useless and wasteful exercise, especially if the sender hasn't submitted his/her keys to the public keyservers. Well, that depends on the content of the mail. But you are right, for the bulk of ML traffic, there is no need for signing. Werner
Re: Question regarding clearsigning emails automatically
On Thu, Dec 14, 2000 at 06:24:10PM +0100, Werner Koch muttered: On Thu, 14 Dec 2000, David Champion wrote: Having the signatures come up, and my mailer and OpenPGP client freeze while I wait to download a signature that might and might not be on the And on a slow box (mine) it even freezes during signature verification. It would be much better if Mutt has an option to check signatures on demand and not every time you open that message. Try: set pgp_verify_sig=ask-yes -- -- C^2 No windows were crashed in the making of this email. Looking for fine software and/or web pages? http://w3.trib.com/~ccurley PGP signature
Re: Question regarding clearsigning emails automatically
On Thu 14-Dec-2000 at 11:03:13AM -0600, David Champion wrote: This has come up before in my conversation with others. I think that signing all mail as a policy is a waste of resources and a potential source of annoyance, whether it's list mail or not. I think that sensitive material (code patches, or authoritative announcements of new software releases, or analyses of the latest Communications Prohibition Act, and the like) ought to be signed if possible; anyone who is concerned about the validity of the message can check the signature if they like. I'm very inconsistent with signing mail (especially if I know it's going to end up being viewed in Outlook) - but really all I'm doing is encouraging people to think that _sometimes_ I don't sign my mail. What this means is that next time somebody forges my identity, nobody will think it's a forgery (they will just think I forgot to sign again). Really, you should be signing everything or nothing. Bruno -- http://bruno.postle.net/
Re: Question regarding clearsigning emails automatically
On Thu, Dec 14, 2000 at 11:03:13AM -0600, David Champion wrote:
I think that
signing all mail as a policy is a waste of resources and a potential
source of annoyance, whether it's list mail or not.
[...]
anyone who is
concerned about the validity of the message can check the signature if
they like.
But, by and large, it doesn't matter. I don't really care whether it
was really the person I know as Lars Hecking who wrote the message I'm
replying to right now. It only matters what's said in this case, and
not much who said it. If I want to confirm all this, I can write to
Lars and he can sign it. If I sign my mail to Lars, he'll quite
possibly even sign his reply.
But the signature can only be checked if it's present. If the sig
isn't present, you need additional steps. ...a small example: I get
annoyed before going on a long trip, and I write an email in which I
write things that are uncharacteristic of me (because I'm annoyed). A
day later, when you receive my mail, you'd like to verify that it was
really I who wrote that, so you send me email asking if I really wrote
that. Oh, well...you're left wondering until I get back say a month
and a half later, because when you do your further inquiry, I've
already left. Now if I'd have signed it, you have the option of
configuring anything in your mail system over which you have control
(~/.procmailrc, ~/.muttrc, ~/.gnupg/options to name a potential few)
to do anything you want, including choosing not to open my signed
message, sending it off to another box to be read later, write
something/modify Mutt to fetch possibly nonexistant keys in the
background, specify a different pager that asynchronously verifies the
signature (e.g., pop-up X window or something)...at least by signing
it, I've given you the tool with which you can do it if you choose.
And you can also choose not to do anything at all with my message.
[...]
Having the signatures come up, and my mailer and OpenPGP client freeze
while I wait to download a signature that might and might not be on the
server that I use, only to discover that the signed material doesn't
even need validation, is somewhat irritating at times - semi-political
privacy agenda or no.
I would agree it can be irritating at times. But I would also
respectfully argue that due to your configuration, you have only
yourself to blame for your irritation. IMHO, you just need a little
creative thinking ("hmmm...could I use something in a procmail recipe
to fetch keys in the background and add them to my keyring?") in order
to reduce or eliminate your irritation. Computers are so wonderful
because so many of them are so flexible. I'm also willing to admit,
though, that often with flexibility comes complexity.
P.S. -- I'll skip the digital signature this time. Dontcha just hate
it when you ask someone not to do something (e.g., a "Jeopardy!"
format message), but then they do it anyway???
--
Oo---o, Oo---o, O-weem-oh-wum-ooo-ayyy
In the jungle, the silicon jungle, the process sleeps tonight.
Joe Philipps [EMAIL PROTECTED], http://www.philippsfamily.org/Joe/
public PGP/GPG key 0xFA029353 available via http://www.keyserver.net
