Re: message signing
* Peter T. Abplanalp <[EMAIL PROTECTED]> [2002-04-01 12.14 -0700]: [...] > right. that is what i thought. so the question remains, how does one > develop a web of trust using good judgement while probably being unable > to verify anyone's identity outside of long distance (email, phone, fax, etc) > means? If you ever receive a good answer to this question, please let me in on the secret! Cheers, -- Martin | PGP/GPG: | There is no cow Karlsson | 9C924660 |on the ice. msg26517/pgp0.pgp Description: PGP signature
Re: message signing
Others have answered the other points, so I'll just answer this: On Mon, Apr 01, 2002 at 11:00:39AM -0700, [EMAIL PROTECTED] wrote: > so you are saying it is a totally subjective judgement call? Yes. It's a question of trust, which is very difficult to compute algorithmically... The question is: (for local signing) Are you convinced that the keyholder is actually the person they say they are? (for export signing) all the above, plus: Are you willing to stake your reputation on guaranteeing that the keyholder is the person they say they are? Personally, I have not signed *any* keys on my keyring /yet/ (except my own). IMHO, identity validation should only happen in person, or if you know the person well enough to recognise their voice, you could do it over the phone. For example, I could validate friends from Uni over the phone, but people from my local LUG (where email is the only main channel of communication) would only be validated face-to-face (maybe with exchange of other forms of ID). Of course, you only have to exchange key fingerprints over the validating channel, not entire keys. -- David Smith| Tel: +44 (0)1454 462380Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 617910 Mobile: +44 (0)7932 642724 1000 Aztec West| TINA: 065 2380 Almondsbury| Work Email: [EMAIL PROTECTED] BRISTOL, BS32 4SQ | Home Email: [EMAIL PROTECTED]
Re: message signing
> Something isn't configured properly in your GnuPG. It sounds like it > doesn't trust YOUR key. entirely possible but i think everything is set up correctly. here is what i get when i run a check on my key: pub 1024D/7D224574 created: 2002-01-09 expires: never trust: -/u sub 1024g/CB44AB9B created: 2002-01-09 expires: never (1). Peter T. Abplanalp <[EMAIL PROTECTED]> Command> check uid Peter T. Abplanalp <[EMAIL PROTECTED]> sig! 7D224574 2002-01-09 [self-signature] sig! 09468BD5 2002-02-06 Peter T. Laird <[EMAIL PROTECTED]> here is what i get when i run a check on your key: pub 1024D/18A4D476 created: 2000-05-03 expires: never trust: -/q sub 1024g/F43253AD created: 2000-05-03 expires: never (1). Shawn McMahon <[EMAIL PROTECTED]> Command> check uid Shawn McMahon <[EMAIL PROTECTED]> sig! 18A4D476 2000-05-03 [self-signature] sig! 7D224574 2002-04-01 Peter T. Abplanalp <[EMAIL PROTECTED] which leads me to believe that everything is as it should be. finally, here is the output of gpg when i view an email signed by (presumably) you: gpg: Signature made Mon Apr 1 11:53:14 2002 MST using DSA key ID 18A4D476 gpg: Good signature from "Shawn McMahon <[EMAIL PROTECTED]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 0488 2065 CC6B 20CB 31E5 6529 FD1D F6BB 18A4 D476 which is the same message i get from gpg on a signed email for which i did not sign the key. so what is up with that? after lsigning the key, i figured i would lose the warning because i had signed the key with my own. > That's good judgement. right. that is what i thought. so the question remains, how does one develop a web of trust using good judgement while probably being unable to verify anyone's identity outside of long distance (email, phone, fax, etc) means? -- Peter Abplanalp Email: [EMAIL PROTECTED] PGP: pgp.mit.edu msg26490/pgp0.pgp Description: PGP signature
Re: message signing
begin quoting what Peter T. Abplanalp said on Mon, Apr 01, 2002 at 11:00:39AM -0700: > > ok. just to see how things work, i lsigned the key that i got from the > keyserver when i opened the email i am responding to. presumably your > key and email ;-). now when mutt invokes gpg, i get the same message of > "good signature but no validity." that being the case, what is the purpose > of lsigning a key? Something isn't configured properly in your GnuPG. It sounds like it doesn't trust YOUR key. > as i asked above, why? what purpose does lsigning serve? When things are configured properly, it establishes that you trust the key. > so you are saying it is a totally subjective judgement call? that means > i could sign all the keys i have from this list and send everyone a copy > back and that would be ok? No, that would be BAD judgement, and everybody would set their trust on your key to nil. > angry. especially due to the fact that my one pgp friend wouldn't sign > my key unless i brought it to him on a floppy. he didn't check my id > presumably because he felt confident he could still recognize me. That's good judgement. msg26472/pgp0.pgp Description: PGP signature
OT: web of trust [was Re: message signing]
On Mon, Apr 01, 2002 at 01:00:39PM -0500, Peter T. Abplanalp wrote: > ok. just to see how things work, i lsigned the key that i got from the > keyserver when i opened the email i am responding to. presumably your > key and email ;-). now when mutt invokes gpg, i get the same message of > "good signature but no validity." that being the case, what is the purpose > of lsigning a key? You might not care about the actual real-world identity of someone; you may only care to know that two messages from them did, in fact, come from the same person. In that case, you don't want to sign the key in a sharable way, because that certifies the identity associated with the key; but you can lsign it is an indication to yourself of your decision to treat the key that way, or just to shut the program up about the unsigned key. > so you are saying it is a totally subjective judgement call? Yes. > that means i could sign all the keys i have from this list and > send everyone a copy back and that would be ok? Okay from a web-of-trust sense. Not so okay from a spam-avoidance sense. :) > somehow i think some people would become angry. Most folks wouldn't get angry; they just wouldn't trust your signature. Your signature on a key doesn't do the owner of that key any good unless folks trust YOU to make the right decision when signing keys. If you make a habit of signing keys without verifying the ID, then your signature just becomes worthless. -- Mark REED| CNN Internet Technology 1 CNN Center Rm SW0831G | [EMAIL PROTECTED] Atlanta, GA 30348 USA | +1 404 827 4754 -- Remember the... the... uhh. msg26471/pgp0.pgp Description: PGP signature
Re: message signing
On Mon, Apr 01, 2002 at 12:42:19PM -0500, Shawn McMahon wrote: > If you're using GnuPG, see the "lsign" option. ok. just to see how things work, i lsigned the key that i got from the keyserver when i opened the email i am responding to. presumably your key and email ;-). now when mutt invokes gpg, i get the same message of "good signature but no validity." that being the case, what is the purpose of lsigning a key? > If you're signing the key because you trust it, but aren't willing to > put your name on the line to vouch for it, local-sign (lsign) it. as i asked above, why? what purpose does lsigning serve? > If you are willing to put your reputation on the line as proclaiming > the validity of the key, sign it, and send the owner a signed copy. Don't > do that unless you're sure it's legit; and email ain't "sure". so you are saying it is a totally subjective judgement call? that means i could sign all the keys i have from this list and send everyone a copy back and that would be ok? somehow i think some people would become angry. especially due to the fact that my one pgp friend wouldn't sign my key unless i brought it to him on a floppy. he didn't check my id presumably because he felt confident he could still recognize me. -- Peter Abplanalp Email: [EMAIL PROTECTED] PGP: pgp.mit.edu msg26469/pgp0.pgp Description: PGP signature
Re: message signing
begin quoting what Peter T. Abplanalp said on Mon, Apr 01, 2002 at 10:37:49AM -0700: > > just wondering why the non-standards-following option contains the word > traditional. Because usage of PGP predates the establishment of standards. > helpfull and it sort of relates to mutt...what is the "accepted" > method for signing keys? i have heard everything from "don't sign a key > unless you got it on a floppy from the person and checked his/her id" to > "if the fingerprint in the signature matches, signing is ok." If you're using GnuPG, see the "lsign" option. If you're signing the key because you trust it, but aren't willing to put your name on the line to vouch for it, local-sign (lsign) it. If you are willing to put your reputation on the line as proclaiming the validity of the key, sign it, and send the owner a signed copy. Don't do that unless you're sure it's legit; and email ain't "sure". msg26468/pgp0.pgp Description: PGP signature
Re: message signing
On Mon, Apr 01, 2002 at 05:33:36PM +0100, Dave Smith wrote: > You could succumb to the non-standards-following world and use the > pgp_create_traditional variable. There are also other ways of signing > messages that have been used in the past, and many discussions have taken > place here, and patches have been posted to allow it. Check the archives > if you want it. just wondering why the non-standards-following option contains the word traditional. btw - thanks for the advice on the send hooks, etc. also, i have tried asking this question in lists where it belongs but haven't gotten any satisfactory responses and since you all seem so helpfull and it sort of relates to mutt...what is the "accepted" method for signing keys? i have heard everything from "don't sign a key unless you got it on a floppy from the person and checked his/her id" to "if the fingerprint in the signature matches, signing is ok." my dilema is that i have few friends (ok one) who use pgp but i would still like to build up some sort of web-of-trust. -- Peter Abplanalp President - Senior Developer PSA Consultants, Inc. Cell:(303) 810-9574 Fax: (303) 790-7504 Email: [EMAIL PROTECTED] PGP: pgp.mit.edu Address: 10408 Carriage Club Drive Littleton, CO 80124 msg26467/pgp0.pgp Description: PGP signature
Re: message signing
Peter, et al -- ...and then Peter T. Abplanalp said... % % hi all. just a quick question from a newbie. i usually sign all my Welcome! % emails but one of the lists i write to complains that it will not accept % emails with attachments due to the fact that they don't want to spread Yeah, I know of one of those, too. Are you by chance a Toshiba user? :-) % msft viruses. now it is my understanding that when you sign an email you % are actually sending a multipart "page" with the message being part 1 and % the signature being part 2. if that is the case then it would seem to me That's when it's done The Right Way Note that this is highly volatile flame fodder; see the archives for many virulent and voluminous discussions of How To Sign and Where To Sign and When To Sign. You've been warned :-) and somewhat informed. % that i cannot send signed emails to this list. is my understanding valid? % is there another way to send signed emails? and now for the mutt tie-in, mutt also supports $pgp_create_traditional to put the signature in the body of the message ("in-line signing"), which should work for this list and which is required for Outhouse users. % can i set mutt up to automatically not sign emails to particular address? You can, but for reasons mentioned in the various flame wars I don't recommend it. If you're going to sign at all, then why sometimes not sign and weaken the other half of your PGP presence? % i have read about the *-hooks but am still new to mutt. might someone give % an example or two of how this might be done. thanks! You probably want a send-hook, since you'd trigger this based on an address. First you should establish the default behavior: send-hook . set pgp_autosign Next, because more than one send-hook can apply to a message, you handle your exception case(s): send-hook lousylist unset pgp_autosign That's all there is to it. % % -- % Peter Abplanalp % Email: [EMAIL PROTECTED] % PGP: pgp.mit.edu HTH & HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg26466/pgp0.pgp Description: PGP signature
Re: message signing
begin quoting what Dave Smith said on Mon, Apr 01, 2002 at 05:33:36PM +0100: > > You could succumb to the non-standards-following world and use the > pgp_create_traditional variable. There are also other ways of signing My two cents: Succumb. Inline sigs are annoying, and when you get a complaint, you can say "well, if the list admin would allow standards-compliant sigs, you wouldn't see all that garbage in the messages. Complain to him, not me.". msg26465/pgp0.pgp Description: PGP signature
Re: message signing
On Mon, Apr 01, 2002 at 09:09:38AM -0700, [EMAIL PROTECTED] wrote: > hi all. just a quick question from a newbie. i usually sign all my > emails but one of the lists i write to complains that it will not accept > emails with attachments due to the fact that they don't want to spread > msft viruses. now it is my understanding that when you sign an email you > are actually sending a multipart "page" with the message being part 1 and > the signature being part 2. if that is the case then it would seem to me > that i cannot send signed emails to this list. is my understanding valid? Yes. > is there another way to send signed emails? You could succumb to the non-standards-following world and use the pgp_create_traditional variable. There are also other ways of signing messages that have been used in the past, and many discussions have taken place here, and patches have been posted to allow it. Check the archives if you want it. > and now for the mutt tie-in, > can i set mutt up to automatically not sign emails to particular address? > i have read about the *-hooks but am still new to mutt. might someone give > an example or two of how this might be done. thanks! 1. Complain to the list admin about their broken list. 2. Example (untested, made up from memory...): send-hook .set pgp_autosign send-hook [EMAIL PROTECTED] unset pgp_autosign -- David SmithWork Email: [EMAIL PROTECTED] STMicroelectronics Home Email: [EMAIL PROTECTED] Bristol, England
message signing
hi all. just a quick question from a newbie. i usually sign all my emails but one of the lists i write to complains that it will not accept emails with attachments due to the fact that they don't want to spread msft viruses. now it is my understanding that when you sign an email you are actually sending a multipart "page" with the message being part 1 and the signature being part 2. if that is the case then it would seem to me that i cannot send signed emails to this list. is my understanding valid? is there another way to send signed emails? and now for the mutt tie-in, can i set mutt up to automatically not sign emails to particular address? i have read about the *-hooks but am still new to mutt. might someone give an example or two of how this might be done. thanks! -- Peter Abplanalp Email: [EMAIL PROTECTED] PGP: pgp.mit.edu msg26463/pgp0.pgp Description: PGP signature