Why sign posts on mailinglists?
I have just installed gnupg on my system and set it up. I wonder how
ever why people sign their mails to mailinglists? Perhaps there is
something wrong in my setup because I keep getting:
[-- PGP output follows (current time: tor 24-01-2002 11:56:40 CET) --]
gpg: Signature made ons 20-01-2002 22:05:07 CET using DSA key ID
204A79C7
[GNUPG:] ERRSIG 3D387689204A79C7 17 2 01 1011819907 9
[GNUPG:] NO_PUBKEY 3D387689204A79C7
gpg: Can't check signature: public key not found
[-- End of PGP output --]
but on the other hand I don't have the pubkey of all the participants to
the mailinglists.
Thanks in advance.
Preben
--
() Join the worldwide campaign to protect fundamental human rights.
'||}
{||' http://www.amnesty.org/
Re: Why sign posts on mailinglists?
Preben --
...and then Preben Randhol said...
%
% I have just installed gnupg on my system and set it up. I wonder how
% ever why people sign their mails to mailinglists? Perhaps there is
This has come up at least twice, in great detail, in recent memory.
Check the archives for more so that we don't have to get into it again :-)
% something wrong in my setup because I keep getting:
%
%[-- PGP output follows (current time: tor 24-01-2002 11:56:40 CET) --]
%gpg: Signature made ons 20-01-2002 22:05:07 CET using DSA key ID
%204A79C7
%[GNUPG:] ERRSIG 3D387689204A79C7 17 2 01 1011819907 9
%[GNUPG:] NO_PUBKEY 3D387689204A79C7
%gpg: Can't check signature: public key not found
%[-- End of PGP output --]
%
% but on the other hand I don't have the pubkey of all the participants to
% the mailinglists.
So just tell gpg your favorite keyserver and let it go get them as
needed.
%
% Thanks in advance.
HTH & HAND
%
% Preben
% --
% () Join the worldwide campaign to protect fundamental human rights.
% '||}
% {||' http://www.amnesty.org/
:-D
--
David T-G * It's easier to fight for one's principles
(play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie
(work) [EMAIL PROTECTED]
http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
msg23652/pgp0.pgp
Description: PGP signature
Re: Why sign posts on mailinglists?
David T-G <[EMAIL PROTECTED]> wrote on 24/01/2002 (12:18) :
>
> This has come up at least twice, in great detail, in recent memory.
> Check the archives for more so that we don't have to get into it again :-)
Ah I found it in the archive. Sorry should have searched better. And I
also found a way to get rid of this problem with signed posts (which I
think is unnecessary for ordinary posts).
:-)
Preben
--
() Join the worldwide campaign to protect fundamental human rights.
'||}
{||' http://www.amnesty.org/
Re: Why sign posts on mailinglists?
Preben --
...and then Preben Randhol said...
%
% David T-G <[EMAIL PROTECTED]> wrote on 24/01/2002 (12:18) :
% >
% > This has come up at least twice, in great detail, in recent memory.
% > Check the archives for more so that we don't have to get into it again :-)
%
% Ah I found it in the archive. Sorry should have searched better. And I
No problem.
% also found a way to get rid of this problem with signed posts (which I
% think is unnecessary for ordinary posts).
Without rising to the bait of your latter statement, what did you find as
mentioned in your former statement?
%
% :-)
TIA & HAND
%
% Preben
% --
% () Join the worldwide campaign to protect fundamental human rights.
% '||}
% {||' http://www.amnesty.org/
:-D
--
David T-G * It's easier to fight for one's principles
(play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie
(work) [EMAIL PROTECTED]
http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
msg23656/pgp0.pgp
Description: PGP signature
Re: Why sign posts on mailinglists?
David T-G <[EMAIL PROTECTED]> wrote on 24/01/2002 (12:38) :
> % also found a way to get rid of this problem with signed posts (which I
> % think is unnecessary for ordinary posts).
>
> Without rising to the bait of your latter statement, what did you find as
> mentioned in your former statement?
No it has been discussed enough, but I found some macros that looks
nice, though I haven't managed to test them yet.
Preben
--
() Join the worldwide campaign to protect fundamental human rights.
'||}
{||' http://www.amnesty.org/
Re: Why sign posts on mailinglists?
Preben -- ...and then Preben Randhol said... % % David T-G <[EMAIL PROTECTED]> wrote on 24/01/2002 (12:38) : % > % also found a way to get rid of this problem with signed posts (which I % > % think is unnecessary for ordinary posts). % > % > Without rising to the bait of your latter statement, what did you find as % > mentioned in your former statement? % % No it has been discussed enough, but I found some macros that looks *That* is certain! % nice, though I haven't managed to test them yet. Well, once you do, I'm interested in what you find. I understand the reasoning of the "don't sign mailing list posts" side and would like to see things that make their lives easier. If you don't want to be bothered, then please give me a pointer to the macros that you found so that I can dig into them myself. % % Preben TIA & HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg23658/pgp0.pgp Description: PGP signature
Re: Why sign posts on mailinglists?
David T-G <[EMAIL PROTECTED]> wrote on 24/01/2002 (12:54) :
> Well, once you do, I'm interested in what you find. I understand the
> reasoning of the "don't sign mailing list posts" side and would like to
> see things that make their lives easier.
> If you don't want to be bothered, then please give me a pointer to the
> macros that you found so that I can dig into them myself.
>
http://www.mail-archive.com/mutt-users%40mutt.org/msg22532.html
Preben
--
() Join the worldwide campaign to protect fundamental human rights.
'||}
{||' http://www.amnesty.org/
Re: Why sign posts on mailinglists?
At some point hitherto, Preben Randhol hath spake thusly: > David T-G <[EMAIL PROTECTED]> wrote on 24/01/2002 (12:18) : > > > > This has come up at least twice, in great detail, in recent memory. > > Check the archives for more so that we don't have to get into it again :-) > > Ah I found it in the archive. Sorry should have searched better. And I > also found a way to get rid of this problem with signed posts (which I > think is unnecessary for ordinary posts). Signing on mailing lists is used to prevent this problem (note the From header of this message). -- Derek Martin [EMAIL PROTECTED] - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org
Re: Why sign posts on mailinglists?
At some point hitherto, Preven Randhol hath spake thusly: > At some point hitherto, Preben Randhol hath spake thusly: > > also found a way to get rid of this problem with signed posts (which I > > think is unnecessary for ordinary posts). > > Signing on mailing lists is used to prevent this problem (note the > From header of this message). Sorry I misspelled your name. :) The point is, it's very, very easy to forge mail to mailing lists (or not to mailing lists, for that matter). It's much harder to forge a valid, signed mail, because you need access to the victim's PGP _private_ key, and their passphrase. -- Derek Martin [EMAIL PROTECTED] - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org msg23678/pgp0.pgp Description: PGP signature
Re: Why sign posts on mailinglists?
"Drekka mer D. Martin" <[EMAIL PROTECTED]> wrote on 24/01/2002 (19:34) :
> Sorry I misspelled your name. :) The point is, it's very, very easy
> to forge mail to mailing lists (or not to mailing lists, for that
> matter). It's much harder to forge a valid, signed mail, because you
> need access to the victim's PGP _private_ key, and their passphrase.
Yes but who knows? I just get information from gnupg that it cannot
verify the signed posts here as it doesn't have the public key.
Preben
--
() Join the worldwide campaign to protect fundamental human rights.
'||}
{||' http://www.amnesty.org/
Re: Why sign posts on mailinglists?
So sprach »Preben Randhol« am 2002-01-24 um 11:59:01 +0100 : > I have just installed gnupg on my system and set it up. I wonder how > ever why people sign their mails to mailinglists? Perhaps there is Unknown. It doesn't add any security but just wastes bandwith. Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.iso-top.de | Jabber: [EMAIL PROTECTED] iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 10 days 0 hours 18 minutes
Re: Why sign posts on mailinglists?
Preben Randhol wrote: [i'll respond to both posts since i held my tongue on the first for a while] > "Drekka mer D. Martin" <[EMAIL PROTECTED]> wrote on 24/01/2002 > (19:34) : > > > The point is, it's very, very easy to forge mail to mailing lists > > (or not to mailing lists, for that matter). It's much harder to > > forge a valid, signed mail, because you need access to the victim's > > PGP _private_ key, and their passphrase. yes but first of all, it's unlikely that someone's going to forge your identity on some mailing list (and most of the time, if they do... who cares). sign your messages if you are writing about something that's actually sensitive, or that is likely to let's not take paranoia to a rediculous extent. also, since most people on the list don't know you in real life, all they know is that you're the same person who has always been writing email under that name and with that PGP key. there's no real advantage to doing this IMHO in most cases. yes ... we're all impressed that you have a PGP key... i have one too. but it seems to me that people on this list sign stuff way too often. > Yes but who knows? I just get information from gnupg that it cannot > verify the signed posts here as it doesn't have the public key. you can tell mutt not to automatically try and verify signed messages, or else put a keyserver in your options file - this gets most peoples' keys automatically. [aside note] i agree with recent posts about this list. this used to be one of the lists i enjoyed reading most since most people had good ettiquette (unlike many other mailing lists i'm on) and since it had a minimum of useless / rediculously long threads. however i am definitely getting close to unsubbing at this point. by all means say something if you have something constructive to add... but if you don't, then try to think for a few minutes before posting. just my $0.02 w
Re: Why sign posts on mailinglists?
> also, since most people on the list don't know you in real life, all > they know is that you're the same person who has always been writing > email under that name and with that PGP key. there's no real advantage > to doing this IMHO in most cases. I disagree -- if Thomas didn't sign all his messages, i could write a message to this list, pretending to be him, and say, "Hey, there's a problem with mutt. You should all immediately apply the following patch. And don't worry about checking to make sure that it's not a trojan horse; after all, i'm Thomas. You can trust me." Even though you've never met him, and only know him as "that guy who posts to mutt-dev and signs messages with that key", you still want to be protected from someone else coming along and taking over that identity. Also, i'm not familiar with PGP, but at least with S/MIME, a signed message generally contains the sender's certificate (public key). So by signing your messages, it gets your certificate "out there". This means, for example, that someone could take just this signed message, extract my certificate, and send me an encrypted message --without having to contact any keyservers--. -- Mike Schiraldi VeriSign Applied Research smime.p7s Description: application/pkcs7-signature
Re: Why sign posts on mailinglists?
At some point hitherto, Preben Randhol hath spake thusly: > > matter). It's much harder to forge a valid, signed mail, because you > > need access to the victim's PGP _private_ key, and their passphrase. > > Yes but who knows? I just get information from gnupg that it cannot > verify the signed posts here as it doesn't have the public key. Sure, but if you actually cared, you could get my key and try to verify it. Presumably, if you cared, you'd already have it, since my key ID is in my sig, and since you can configure gpg/mutt to get keys from a keyserver automatically. If you had my key, it wouldn't verify. Someone else made a point about if someone spoofed a TR post saying that you should apply some patch to mutt. That's an excellent point. Someone else asked who cares if someone spoofs someone else... But I've run into cases where some juvenile moron decided to spoof random people to try to create ill will between list members. So to answer the question, if someone posts a message spoofing me, especially one saying something that I don't believe or would never say, then *I* care. So, I sign my posts, as well as most of my personal mail. It's largely a matter of principal. I also encrypt nearly all mail I send to people who are crypto-capable, regardless of what's in it. Why? Cuz it's no body else's business. Period. -- Derek Martin [EMAIL PROTECTED] - I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org msg23730/pgp0.pgp Description: PGP signature
Re: Why sign posts on mailinglists?
On 2002.01.24, in <[EMAIL PROTECTED]>, "Mike Schiraldi" <[EMAIL PROTECTED]> wrote: > > also, since most people on the list don't know you in real life, all > > they know is that you're the same person who has always been writing > > email under that name and with that PGP key. there's no real advantage > > to doing this IMHO in most cases. > > I disagree -- if Thomas didn't sign all his messages, i could write a > message to this list, pretending to be him, and say, "Hey, there's a problem > with mutt. You should all immediately apply the following patch. And don't > worry about checking to make sure that it's not a trojan horse; after all, > i'm Thomas. You can trust me." Thomas *doesn't* sign all his messages. I'm happy with that; he signs patches and other messages which regard potential threats to mutt's code base. PGP certainly should be used when the message requires some trust. I don't think you'll find many people (if any) arguing with that. What's at issue is: when is trust required? Some feel that it's always required to ever be useful; others think it's only required on occasion. But we've been over it many times on this list, and perhaps it's time to talk about Mutt. I apologize for posting on this subject, but the incorrect information seemed to be a bit of a threat. :) (I'd sign this message, but my key is currently expired.) -- -D.[EMAIL PROTECTED]NSITUniversity of Chicago
Re: Why sign posts on mailinglists?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * and then Will Yardley blurted > i agree with recent posts about this list. this used to be one of the > lists i enjoyed reading most since most people had good ettiquette > (unlike many other mailing lists i'm on) and since it had a minimum of > useless / rediculously long threads. however i am definitely getting Funny you should say that, I remember the good intentions of this thread: > This has come up at least twice, in great detail, in recent memory. > Check the archives for more so that we don't have to get into it again :-) So much for that :) > close to unsubbing at this point. by all means say something if you have > something constructive to add... but if you don't, then try to think for > a few minutes before posting. How about 'stick around Will, it's not that bad and you give good answers'? Regards, - -- Nick Wilson Tel:+45 3325 0688 Fax:+45 3325 0677 Web:www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8UQl9HpvrrTa6L5oRAnWQAJ45YMh5FaTPgFPEuJXQ+iP9YGWojQCfVxHl bziz+FBt1ihZnD1OKPlrQDM= =VkAo -END PGP SIGNATURE-
Re: Why sign posts on mailinglists?
"Derek D. Martin" <[EMAIL PROTECTED]> wrote on 25/01/2002 (09:25) :
>
> Sure, but if you actually cared, you could get my key and try to
> verify it. Presumably, if you cared, you'd already have it, since my
> key ID is in my sig, and since you can configure gpg/mutt to get keys
> from a keyserver automatically. If you had my key, it wouldn't
> verify.
No I don't care to have a lot of pgp keys from strangers. But let's stop
this discussion now. There is no point in debating this again.
Preben
--
() Join the worldwide campaign to protect fundamental human rights.
'||}
{||' http://www.amnesty.org/
