Re: GPG testing...

2002-12-30 Thread Michael O'Donnell
> No, [GPG] is not flawed, either, anymore than a wrench > is "flawed" because it makes a lousy screwdriver. Right. Funny - this all reminds me of the time when my little sister and I were presented with a pair of walkie-talkies. Our parents were initially pleased to see how much fun we had u

Re: GPG testing...

2002-12-30 Thread Jerry Feldman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii Derek, On your key I get Signature made Mon 30 Dec 2002 01:19:00 PM EST using DSA key ID DFBEAD02 Good signature from "Derek D. Martin <[EMAIL PROTECTED]>" WARNING: This key is not certified with a trusted s

RE: GPG testing...

2002-12-30 Thread Travis Roy
> On Mon, 30 Dec 2002, at 8:10am, [EMAIL PROTECTED] wrote: > [commentary about non-repudiation not being possible on the Internet] >> This was EXACTLY my point as to why GPG/PGP for signing email is >> currently >> flawed the way it works now. > > No, it is not flawed, either, anymore than a wren

RE: GPG testing...

2002-12-30 Thread bscott
On Mon, 30 Dec 2002, at 8:10am, [EMAIL PROTECTED] wrote: [commentary about non-repudiation not being possible on the Internet] > This was EXACTLY my point as to why GPG/PGP for signing email is currently > flawed the way it works now. No, it is not flawed, either, anymore than a wrench is "flawe

RE: GPG testing...

2002-12-30 Thread Travis Roy
This was EXACTLY my point as to why GPG/PGP for signing email is currently flawed the way it works now. > Case in point: This discussion originated as a discussion > about using digital signatures to counter spam. Since > digital signatures, on today's Internet, are relatively > uncommon, th

Re: GPG testing...

2002-12-29 Thread bscott
On Sat, 28 Dec 2002, at 11:06pm, [EMAIL PROTECTED] wrote: > Like everything else pertaining to information assurance, it's a matter of > risk management. That is exactly my point. :-) The more I deal with the world, the more I think that the word "security" is inherently misleading. I agr

Re: GPG testing...

2002-12-29 Thread bscott
On Sun, 29 Dec 2002, at 10:24pm, [EMAIL PROTECTED] wrote: >> That is rather missing the point. The reason non-repudiation is desired >> is that it means one cannot say, "I never sent that." > > No, that's only one reason. The other reason is to say, "we can prove > that you sent this." No, th

Re: GPG testing...

2002-12-29 Thread bscott
On Sat, 28 Dec 2002, at 9:56pm, [EMAIL PROTECTED] wrote: > They do provide one-way non-repudiation... in the case the mail was > signed. That is rather missing the point. The reason non-repudiation is desired is that it means one cannot say, "I never sent that." Discretionary signing means one

RE: GPG testing...

2002-12-29 Thread Travis Roy
> You should probably ask what is meant by that before you rush > to such conclusions... In two messages in this thread you > seem in quite a hurry to bash PGP... The key servers are not > a security risk to PGP users or "broken" in any serious sense > (that I'm aware of). However most of th

RE: GPG testing...

2002-12-29 Thread Travis Roy
> I'm guessing that you don't really understand how OpenPGP > works; the keyservers are *NOT* trusted, so problems with the > keyservers do not affect the operation of GPG or PGP, except > that it may make it harder to obtain a copy of someone's key. I understand that the keyservers are not tru

Re: GPG testing...

2002-12-28 Thread Mark Komarinski
On Sat, Dec 28, 2002 at 09:59:46PM -0500, Travis Roy wrote: > > My public key is available from my web site as well, if only > > Outlook would show all the headers (or does it now?). Hence > > the reason why I asked if I should publish it on the > > keyservers or leave it on my web site. > > O

RE: GPG testing...

2002-12-28 Thread Travis Roy
D]>; Sat, 28 Dec 2002 20:52:53 -0500 Received: from mkomarinski by shaft with local (Exim 3.35 #1 (Debian)) id 18SSd9-00019J-00; Sat, 28 Dec 2002 20:52:43 -0500 Date: Sat, 28 Dec 2002 20:52:43 -0500 From: Mark Komarinski <[EMAIL PROTECTED]> To: Travis Roy <[EMAIL PROTECTED]> Cc

Re: GPG testing...

2002-12-28 Thread Roger H. Goun
On Sat, Dec 28, 2002 at 03:32:25PM -0500, mike ledoux <[EMAIL PROTECTED]> wrote: > Your key wasn't on any of the keyservers, but I've got mutt > configured to grab keys from certain URLs in the headers so getting > your key wasn't a problem for me. Neat trick. How do you do that? -- Roger -- Ro

Re: GPG testing...

2002-12-28 Thread Mark Komarinski
On Sat, Dec 28, 2002 at 04:17:49PM -0500, Travis Roy wrote: > > and Outlook users will not be able > > to read the message at all. > > I use Outlook (the one with OfficeXP) and it came up fine, just had an > attachment that some people might be scared of Bah. ;) > > My recommendation is to p

RE: GPG testing...

2002-12-28 Thread Travis Roy
> and Outlook users will not be able > to read the message at all. I use Outlook (the one with OfficeXP) and it came up fine, just had an attachment that some people might be scared of > My recommendation is to publish your key to > 'keyserver.kjsl.com', which is currently the least broken k

RE: GPG testing...

2002-12-28 Thread Travis Roy
> Isn't one of the points of GPG to validate that the person > you're talking to is really who they say they are? GPG > allows me to do that, by signing my e-mails. If it's not > signed, then it's not from me. I used pgp for a while and I actually found it more of a hassle explaining to peopl

Re: GPG testing...

2002-12-28 Thread bscott
On Sat, 28 Dec 2002, at 2:08pm, [EMAIL PROTECTED] wrote: >> It validates that the sender had access to your private key. Presumably, >> only you have access to your key, but even that is far from a given in >> anonymous communications. > > They'd also need your pass phrase. They'd need your pri

Re: GPG testing...

2002-12-28 Thread Jason Stephenson
[EMAIL PROTECTED] wrote: On Sat, 28 Dec 2002, at 1:45pm, [EMAIL PROTECTED] wrote: Isn't one of the points of GPG to validate that the person you're talking to is really who they say they are? It validates that the sender had access to your private key. Presumably, only you have access to y

Re: GPG testing...

2002-12-28 Thread bscott
On Sat, 28 Dec 2002, at 1:45pm, [EMAIL PROTECTED] wrote: > Isn't one of the points of GPG to validate that the person you're talking > to is really who they say they are? It validates that the sender had access to your private key. Presumably, only you have access to your key, but even that is

Re: GPG testing...

2002-12-28 Thread bscott
On Sat, 28 Dec 2002, at 1:37pm, [EMAIL PROTECTED] wrote: >> So some fsckwad is using my good name to send spam. Either that, >> or there's a new spam going around that just says 'fuck you'. > > Fascinating. Why would anybody do such a thing to you? Spammers often spoof the 'From' header to b

Re: GPG testing...

2002-12-28 Thread Mark Komarinski
On Sat, Dec 28, 2002 at 01:37:22PM -0500, Michael O'Donnell wrote: > > > > So some fsckwad is using my good name to send spam. Either that, > > or there's a new spam going around that just says 'fuck you'. > > Fascinating. Why would anybody do such a thing to you? Do you > have enemies? Wher

Re: GPG testing...

2002-12-28 Thread John Abreau
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii Mark Komarinski <[EMAIL PROTECTED]> writes: > 1) Can you read this? Yes, I can read your message, but exmh was unable to auto-fetch your key; I had to do that by hand and then import it into my keyring.

Re: GPG testing...

2002-12-28 Thread Michael O'Donnell
> So some fsckwad is using my good name to send spam. Either that, > or there's a new spam going around that just says 'fuck you'. Fascinating. Why would anybody do such a thing to you? Do you have enemies? Where can one see an example of the forgery? > So, time to start signing with GPG so

GPG testing...

2002-12-28 Thread Mark Komarinski
So some fsckwad is using my good name to send spam. Either that, or there's a new spam going around that just says 'fuck you'. So, time to start signing with GPG so at least I know when I sent something, and the rest of you do, too. I've got mutt set up on my home machine and have GPG set up wit