On 1/03/11 9:33 AM, David Shaw wrote:
That experiment, while interesting, is not relevant to the real
Martin / fake Martin situation we've been talking about. If both
Real Martin and Fake Martin have the same secret key, then there is
no way to tell them apart using signatures.
Hang on,
On 2/03/11 8:20 AM, Ingo Klöcker wrote:
Of course, my experience is from a time when UTF-8 wasn't used in email.
But do the standard mail clients (Outlook, GMail, Thunderbird) really
default to UTF-8 nowadays? Expecting people to properly configure their
mail clients is an unrealistic
On Mar 2, 2011, at 10:04 PM, Ben McGinnes wrote:
On 1/03/11 9:33 AM, David Shaw wrote:
That experiment, while interesting, is not relevant to the real
Martin / fake Martin situation we've been talking about. If both
Real Martin and Fake Martin have the same secret key, then there is
no
Op 28-2-2011 23:23, Robert J. Hansen schreef:
He then learned that his users thought the banner across the top was
just another one of those annoying Flash ads, and they tuned it out.
Their senses were dulled by overadvertising. He had better also
distributed Adblock Plus to try to counter the
On Sunday 27 February 2011, Doug Barton wrote:
On 02/27/2011 02:04, Ingo Klöcker wrote:
On Saturday, February 26, 2011, MFPA wrote:
Hi
On Friday 25 February 2011 at 1:45:03 AM, in
mid:87lj14x4yo@servo.finestructure.net, Jameson Rollins
wrote:
Yikes! I thought we were
On 02/27/2011 08:27 PM, Robert J. Hansen wrote:
FM: [message]
RM: Hey, that's not me! I'm me. See? I've signed this with the same cert
I've used for everything else on this list.
FM: No, I'm the real Martin. I didn't sign up for this mailing list until
last week. You signed up here a
On Feb 28, 2011, at 8:18 AM, Aaron Toponce wrote:
On 02/27/2011 08:27 PM, Robert J. Hansen wrote:
FM: [message]
RM: Hey, that's not me! I'm me. See? I've signed this with the same cert
I've used for everything else on this list.
FM: No, I'm the real Martin. I didn't sign up for this
On Mon, Feb 28, 2011 at 09:12:33AM -0500, David Shaw wrote:
Unfortunately, barring the case where you have an actual trust path to either
Martin, key signatures don't tell you much. After all, FM could easily make
up dozens of fake people keys and use them to sign his key.
Yes. Understood.
On 2/28/11 10:13 AM, Aaron Toponce wrote:
If a key has falsified signatures, it should be easy enough to find out.
Why?
I have never understood the tendency of people, particularly on this
list, to assume that people who are technologically skilled and up to no
good will not devote more than
On 2/28/11 9:12 AM, David Shaw wrote:
In this particular case, though, key signatures aren't even necessary
- RM just needs to prove that he is the same entity that signed the
other messages to the list. That is, he's real in the sense that
he is the Martin that the list knows and has been
On Feb 28, 2011, at 12:01 PM, Robert J. Hansen wrote:
On 2/28/11 9:12 AM, David Shaw wrote:
In this particular case, though, key signatures aren't even necessary
- RM just needs to prove that he is the same entity that signed the
other messages to the list. That is, he's real in the sense
On Mon, Feb 28, 2011 at 11:58:02AM -0500, Robert J. Hansen wrote:
On 2/28/11 10:13 AM, Aaron Toponce wrote:
If a key has falsified signatures, it should be easy enough to find out.
Why?
I have never understood the tendency of people, particularly on this
list, to assume that people who
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Monday 28 February 2011 at 3:02:08 AM, in
mid:010b72f5-dcb7-4877-a955-92ca0998b...@jabberwocky.com, David Shaw
wrote:
It is reasonable
that if someone was being masqueraded, that person
would speak up and challenge the forger (e.g. Hey,
On 2/28/11 4:59 PM, MFPA wrote:
I'm sure Martin would have something to say *if* he
spotted his key's signature on messages he didn't write...
Yes: but I suspect that may be a big if. If you see a message is
signed by an unknown key 0xDEADBEEF, do you really notice the 0xDEADBEEF
and go, hey,
On Feb 28, 2011, at 4:59 PM, MFPA wrote:
It is reasonable
that if someone was being masqueraded, that person
would speak up and challenge the forger (e.g. Hey,
you're not Martin! I'm the real Martin, and I can
prove it by signing this message with the same key I've
used all along).
On Feb 28, 2011, at 5:47 PM, Robert J. Hansen wrote:
On 2/28/11 12:10 PM, David Shaw wrote:
Well, I suppose that's up to you whether you want to trust RM or not.
A question on trustworthiness is outside crypto, and not what the
discussion was about here in any event.
First it was, even
On 2/28/11 12:10 PM, David Shaw wrote:
Well, I suppose that's up to you whether you want to trust RM or not.
A question on trustworthiness is outside crypto, and not what the
discussion was about here in any event.
First it was, even signatures from non-validated keys belonging to
non-trusted
* Doug Barton do...@dougbarton.us [110227 05:30]:
If you look at the characteristics of the actual messages encrypted mail
is very similar whether it's in-line or MIME. It's signed messages that
make things interesting because the signature in a MIME message is
actually (sort of) an
On Saturday, February 26, 2011, MFPA wrote:
Hi
On Friday 25 February 2011 at 1:45:03 AM, in
mid:87lj14x4yo@servo.finestructure.net, Jameson Rollins wrote:
Yikes! I thought we were almost done killing inline
signatures! Don't revive it now!
If PGP/MIME is broken on android,
On 2/26/11 9:24 PM, Jameson Rollins wrote:
http://josefsson.org/inline-openpgp-considered-harmful.html
* IT DOESN'T HANDLE ATTACHMENTS. That's fine with me: 95%+ of my
messages don't require attachments. Any technology that can hit 95% of
the use case is fine by me.
* IT DOESN'T LIKE
On 02/27/2011 12:21 PM, Robert J. Hansen wrote:
On 2/26/11 9:24 PM, Jameson Rollins wrote:
http://josefsson.org/inline-openpgp-considered-harmful.html
* IT DOESN'T HANDLE ATTACHMENTS. That's fine with me: 95%+ of my
messages don't require attachments. Any technology that can hit 95% of
* David Tomaschik da...@systemoverlord.com [110227 19:22]:
How about inline confuses users who don't know anything about OpenPGP?
100% agreed. Thank you!
Martin
pgpOXtxwgzgho.pgp
Description: PGP signature
___
Gnupg-users mailing list
On 2/27/11 1:13 PM, David Tomaschik wrote:
How about inline confuses users who don't know anything about OpenPGP?
1. Why are you sending them signed emails anyway?
2. And seeing strange MIME attachments doesn't confuse people?
___
Gnupg-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
David Tomaschik da...@systemoverlord.com wrote:
How about inline confuses users who don't know anything about
OpenPGP?
Meh. If anything, inline signatures sparked conversation.
- --
Sent from my Android phone with K-9 Mail. Please excuse my
* Robert J. Hansen r...@sixdemonbag.org [110227 20:28]:
How about inline confuses users who don't know anything about OpenPGP?
1. Why are you sending them signed emails anyway?
I sign *all* my e-mail except for messages sent from my mobile (in that
case, my signature tells the receiver why
Hi,
I once hoped the discussion about MIME vs. crufty inline signatures has
been settled a long time ago. Today that even Microsoft Outlook handles
it correctly for more than 7 years, the new excuse seems to be some
buggy new mail applications. I don't buy such an excuse. MIME is so
primitive
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2011 02:37 PM, Martin Gollowitzer wrote:
* Robert J. Hansen r...@sixdemonbag.org [110227 20:28]:
How about inline confuses users who don't know anything about OpenPGP?
1. Why are you sending them signed emails anyway?
I sign *all*
On 2/27/11 2:37 PM, Martin Gollowitzer wrote:
I sign *all* my e-mail except for messages sent from my mobile (in that
case, my signature tells the receiver why the message is not signed and
offers the receiver to request a signed proof of authenticity later) or
messages to people who can't
On Sunday 27 February 2011, Aaron Toponce wrote:
David Tomaschik da...@systemoverlord.com wrote:
How about inline confuses users who don't know anything about
OpenPGP?
Meh. If anything, inline signatures sparked conversation.
Yeah. I think we should stop this pointless discussion. I doubt
On Feb 27, 2011, at 2:48 PM, Robert J. Hansen wrote:
2. And seeing strange MIME attachments doesn't confuse people?
Less than strange text fragments at the head and the bottom of a message
(Some people even think they are being spammed when they see inline PGP
data), because an attachment
On 02/27/2011 12:37 PM, Martin Gollowitzer wrote:
I sign *all* my e-mail except for messages sent from my mobile (in that
case, my signature tells the receiver why the message is not signed and
offers the receiver to request a signed proof of authenticity later) or
messages to people who can't
On 02/27/2011 02:04, Ingo Klöcker wrote:
On Saturday, February 26, 2011, MFPA wrote:
Hi
On Friday 25 February 2011 at 1:45:03 AM, in
mid:87lj14x4yo@servo.finestructure.net, Jameson Rollins wrote:
Yikes! I thought we were almost done killing inline
signatures! Don't revive it now!
If
On 02/27/2011 00:25, Martin Gollowitzer wrote:
* Doug Bartondo...@dougbarton.us [110227 05:30]:
If you look at the characteristics of the actual messages encrypted mail
is very similar whether it's in-line or MIME. It's signed messages that
make things interesting because the signature in a
On Feb 27, 2011, at 2:48 PM, Robert J. Hansen wrote:
On 2/27/11 2:37 PM, Martin Gollowitzer wrote:
I sign *all* my e-mail except for messages sent from my mobile (in that
case, my signature tells the receiver why the message is not signed and
offers the receiver to request a signed proof of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 27-02-2011 15:30, Martin Gollowitzer escribió:
* David Tomaschik da...@systemoverlord.com [110227 19:22]:
How about inline confuses users who don't know anything about OpenPGP?
100% agreed. Thank you!
IMHO they would be even more
On 02/27/2011 11:36, Werner Koch wrote:
Hi,
I once hoped the discussion about MIME vs. crufty inline signatures has
been settled a long time ago.
I love/admire your optimism. :)
Today that even Microsoft Outlook handles
it correctly for more than 7 years, the new excuse seems to be some
On Feb 27, 2011, at 5:17 PM, David Shaw wrote:
Can I see the HCI study that MIME attachments confuse people? ;)
I would love to see such a study. However, I never made that claim. :)
Someone else made the claim PGP/MIME is superior because inline OpenPGP
signatures confuse people. Okay,
I disagree with this. Obviously a bad signature doesn't say much (except
perhaps check your mail system - it's breaking things), but there is still
value in the continuity between multiple signed messages. It's important to
not make of that more than it is: for all I know there are 200
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 27-02-2011 20:54, Jean-David Beyer escribió:
Faramir wrote:
...
IMHO they would be even more confused if they can read the message.
And some others see the attached signatures and think Virus! Hit
delete, hit delete!.
...
If someone
I'm not at all surprised that you had those results. A limited subset of
people have support for OpenPGP signatures. A limited subset of those people
actually verify signatures. A limited subset of those people actually pay
attention to what those signatures say.
Yes: but one would hope
On Feb 27, 2011, at 10:05 PM, Robert J. Hansen wrote:
I'm not at all surprised that you had those results. A limited subset of
people have support for OpenPGP signatures. A limited subset of those
people actually verify signatures. A limited subset of those people
actually pay attention
On Feb 27, 2011, at 9:38 PM, Robert J. Hansen wrote:
I disagree with this. Obviously a bad signature doesn't say much (except
perhaps check your mail system - it's breaking things), but there is still
value in the continuity between multiple signed messages. It's important to
not make of
On 28/02/11 12:35 PM, Robert J. Hansen wrote:
On Feb 27, 2011, at 5:17 PM, David Shaw wrote:
Can I see the HCI study that MIME attachments confuse people? ;)
I would love to see such a study. However, I never made that claim. :)
Someone else made the claim PGP/MIME is superior
On 28/02/11 2:02 PM, David Shaw wrote:
I'm not at all surprised that you had those results. A limited
subset of people have support for OpenPGP signatures. A limited
subset of those people actually verify signatures. A limited subset
of those people actually pay attention to what those
I think we're missing each other here. We have Martin (the real one), the
fake Martin (let's call him Marty), and various other people on a mailing
list. Martin always signs his messages. One day Marty shows up and tries to
pretend to be Martin. Martin, not wanting someone else to
On Feb 27, 2011, at 10:27 PM, Robert J. Hansen wrote:
I think we're missing each other here. We have Martin (the real one), the
fake Martin (let's call him Marty), and various other people on a mailing
list. Martin always signs his messages. One day Marty shows up and tries
to pretend
On 02/27/2011 08:31 PM, Robert J. Hansen wrote:
the default mail app on a Verizon Droid X running Android 2.2 has broken MIME
support.
Please post this bit of useful details to the Android PGP/MIME test
results thread started by Grant Olson, which actually has an acceptable
signal-to-noise
On 02/27/2011 10:22 PM, Ben McGinnes wrote:
On 28/02/11 2:02 PM, David Shaw wrote:
I'm not at all surprised that you had those results. A limited
subset of people have support for OpenPGP signatures. A limited
subset of those people actually verify signatures. A limited subset
of those
Please post this bit of useful details to the Android PGP/MIME test
results thread started by Grant Olson, which actually has an acceptable
signal-to-noise ratio.
As I have said a few times now, I have been out of town at a funeral. I have
just now returned and am for the most part
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 28-02-2011 0:27, Robert J. Hansen escribió:
...
Then we're at an impasse, because that claim wouldn't fly with me. Let's
imagine Fake-Martin and Real-Martin (FM and RM).
FM: [message]
RM: Hey, that's not me! I'm me. See? I've signed
On Feb 27, 2011, at 8:35 PM, Robert J. Hansen wrote:
On Feb 27, 2011, at 5:17 PM, David Shaw wrote:
Can I see the HCI study that MIME attachments confuse people? ;)
I would love to see such a study. However, I never made that claim. :)
Someone else made the claim PGP/MIME is
On 28/02/11 2:59 PM, Grant Olson wrote:
I've been toying with the idea of expiring my key and seeing how
long it takes for anyone to notice. In fact, I've just decided I
will do this sometime in the next year. It'll be interesting to see
how long it takes people to notice even after I've
On 02/27/2011 11:48 PM, Ben McGinnes wrote:
On 28/02/11 2:59 PM, Grant Olson wrote:
I've been toying with the idea of expiring my key and seeing how
long it takes for anyone to notice. In fact, I've just decided I
will do this sometime in the next year. It'll be interesting to see
how long
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 25 February 2011 at 1:45:03 AM, in
mid:87lj14x4yo@servo.finestructure.net, Jameson Rollins wrote:
Yikes! I thought we were almost done killing inline
signatures! Don't revive it now!
If PGP/MIME is broken on android, we
(Wikimedia-related key) avi.w...@gmail.com
Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E
29F9
From: Martin Gollowitzer go...@fsfe.org
To: gnupg-users@gnupg.org
Date: Fri, 25 Feb 2011 19:56:21 +0100
Subject: Re: PGP/MIME considered harmful for mobile (Jameson Rollins
On Sat, 26 Feb 2011 21:02:08 -0500, Avi avi.w...@gmail.com wrote:
Why? Inline is simple and effective. I'm curious as to why you
feel MIME is so much better.
http://josefsson.org/inline-openpgp-considered-harmful.html
jamie.
pgpha2dSJArgJ.pgp
Description: PGP signature
On 27/02/11 1:24 PM, Jameson Rollins wrote:
On Sat, 26 Feb 2011 21:02:08 -0500, Avi avi.w...@gmail.com wrote:
Why? Inline is simple and effective. I'm curious as to why you
feel MIME is so much better.
http://josefsson.org/inline-openpgp-considered-harmful.html
Thanks for the link.
I'd
On 02/26/2011 18:53, Ben McGinnes wrote:
On 27/02/11 1:24 PM, Jameson Rollins wrote:
On Sat, 26 Feb 2011 21:02:08 -0500, Aviavi.w...@gmail.com wrote:
Why? Inline is simple and effective. I'm curious as to why you
feel MIME is so much better.
On 27/02/11 3:28 PM, Doug Barton wrote:
If you look at the characteristics of the actual messages encrypted
mail is very similar whether it's in-line or MIME.
Exactly, the encrypted output in both methods uses base-64 encoding.
It's signed messages that make things interesting because the
On 25/02/11 07:43, Robert J. Hansen wrote:
On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote:
my colleague is using the application named email, version 2.2.2 on a
stock 2.2.1 motorola droid.
My problem is reproducible on a stock Droid X running 2.2.something --
just got off a very long flight,
On 25.02.11 07:43, Robert J. Hansen wrote:
On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote:
my colleague is using the application named email, version 2.2.2 on a
stock 2.2.1 motorola droid.
My problem is reproducible on a stock Droid X running 2.2.something --
just got off a very long
* Patrick Brunschwig patr...@mozilla-enigmail.org [110225 10:10]:
On 25.02.11 07:43, Robert J. Hansen wrote:
On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote:
my colleague is using the application named email, version 2.2.2 on a
stock 2.2.1 motorola droid.
My problem is reproducible on a
On 02/25/2011 12:11 PM, Martin Gollowitzer wrote:
* Patrick Brunschwig patr...@mozilla-enigmail.org [110225 10:10]:
The only mail client on Android I know of to handle OpenPGP messages is
K9 (together with APG). But K9 only supports inline-PGP, PGP/MIME
messages are not displayed.
This is
* Robert J. Hansen r...@sixdemonbag.org [110225 07:47]:
There are good reasons to prefer a PGP/MIME and S/MIME signature
standards over inline PGP.
And vice-versa. In inline's defense, it *works*, and PGP/MIME often
doesn't.
Maybe one should think about *why* this is the case.
On Feb 25, 2011, at 12:29 PM, Daniel Kahn Gillmor wrote:
On 02/25/2011 12:11 PM, Martin Gollowitzer wrote:
* Patrick Brunschwig patr...@mozilla-enigmail.org [110225 10:10]:
The only mail client on Android I know of to handle OpenPGP messages is
K9 (together with APG). But K9 only supports
Subject: Re: PGP/MIME considered harmful for mobile
On Thu, 24 Feb 2011 20:22:03 -0500, Robert J. Hansen
r...@sixdemonbag.org wrote:
Just as an FYI to the list --
On Android's mail application, PGP/MIME attachments are nigh-unusable.
It won't render even the plaintext portions: it has
* Daniel Kahn Gillmor d...@fifthhorseman.net [110225 18:31]:
On 02/25/2011 12:11 PM, Martin Gollowitzer wrote:
* Patrick Brunschwig patr...@mozilla-enigmail.org [110225 10:10]:
The only mail client on Android I know of to handle OpenPGP messages is
K9 (together with APG). But K9 only
* Avi avi.w...@gmail.com [110225 19:21]:
For those of us who use webmail, inline signatures are rather
useful.
There are webmail applications supporting PGP/MIME. If yours doesn't, it
is not a good one. Inline signatures are not a good thing IMHO.
Martin
pgpPpk4wPE5Xj.pgp
Description: PGP
On 02/25/2011 01:37 PM, Martin Gollowitzer wrote:
Sorry for the misunderstanding: The message body is being displayed, but
the signature is not verified. K9 is the only e-mail client for Android
that I consider usable.
I just received corroboration of a successful read (albeit without
On 2/25/2011 12:56 PM, Martin Gollowitzer wrote:
* Avi avi.w...@gmail.com [110225 19:21]:
For those of us who use webmail, inline signatures are rather
useful.
There are webmail applications supporting PGP/MIME. If yours doesn't, it
is not a good one. Inline signatures are not a good thing
On 02/24/2011 11:43 PM, Robert J. Hansen wrote:
My problem is reproducible on a stock Droid X running 2.2.something --
just got off a very long flight, funeral in the morning: I'll dig the
precise version number tomorrow.
So, I've been doing some triaging to see if I can reproduce this on
Just as an FYI to the list --
On Android's mail application, PGP/MIME attachments are nigh-unusable.
It won't render even the plaintext portions: it has to be downloaded and
opened with a text reader. If you're concerned about your mail being
readable on a mobile device (which is increasingly
On 02/24/2011 08:22 PM, Robert J. Hansen wrote:
On Android's mail application, PGP/MIME attachments are nigh-unusable.
It won't render even the plaintext portions: it has to be downloaded and
opened with a text reader. If you're concerned about your mail being
readable on a mobile device
On Thu, 24 Feb 2011 20:22:03 -0500, Robert J. Hansen r...@sixdemonbag.org
wrote:
Just as an FYI to the list --
On Android's mail application, PGP/MIME attachments are nigh-unusable.
It won't render even the plaintext portions: it has to be downloaded and
opened with a text reader. If
On Thu, Feb 24, 2011 at 08:22:03PM -0500, Robert J. Hansen wrote:
On Android's mail application, PGP/MIME attachments are nigh-unusable.
It won't render even the plaintext portions: it has to be downloaded and
opened with a text reader. If you're concerned about your mail being
readable on a
On 02/24/2011 08:22 PM, Robert J. Hansen wrote:
On Android's mail application, PGP/MIME attachments are nigh-unusable.
It won't render even the plaintext portions: it has to be downloaded and
opened with a text reader. If you're concerned about your mail being
readable on a mobile device
On 02/25/2011 03:15 AM, Daniel Kahn Gillmor wrote:
I do *not* consider PGP/MIME harmful for mobile.
They might not be harmfull for ~your~ mobile...
Any mail with attachments is likely to be harmful for mobile.
You just don't know what device and what program will be used to
read your mail and
On 02/24/2011 11:15 PM, M.R. wrote:
On 02/25/2011 03:15 AM, Daniel Kahn Gillmor wrote:
I do *not* consider PGP/MIME harmful for mobile.
They might not be harmfull for ~your~ mobile...
heh. i don't have a mobile, so i can guarantee that :)
Any mail with attachments is likely to be harmful
On 2/24/11 8:33 PM, Daniel Kahn Gillmor wrote:
thanks for the heads-up, Robert. I'm assuming you're talking about
PGP/MIME signed mail, not encrypted mail.
Correct.
Has this been reported to wherever this mailreader tracks their bugs?
if so, could you provide a link to the bug report? I'd
On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote:
my colleague is using the application named email, version 2.2.2 on a
stock 2.2.1 motorola droid.
My problem is reproducible on a stock Droid X running 2.2.something --
just got off a very long flight, funeral in the morning: I'll dig the
precise
On 2/25/11 12:37 AM, Daniel Kahn Gillmor wrote:
There are good reasons to prefer a PGP/MIME and S/MIME signature
standards over inline PGP.
And vice-versa. In inline's defense, it *works*, and PGP/MIME often
doesn't.
___
Gnupg-users mailing list
81 matches
Mail list logo