On Tuesday 20 of December 2011 17:34:24 Johan Wevers wrote:
> On 20-12-2011 16:49, Hubert Kario wrote:
> > Yeah, the kind of "protections" banks use is funny. But then, what can
> > they do when people forget their passwords 5 minutes after they set them
> > or use the same password on facebook and
On 20-12-2011 16:49, Hubert Kario wrote:
> Yeah, the kind of "protections" banks use is funny. But then, what can they
> do
> when people forget their passwords 5 minutes after they set them or use the
> same password on facebook and their bank...
They could use the same system that all banks
On Monday 19 of December 2011 10:36:33 Jerome Baum wrote:
> On 2011-12-19 10:31, Jerome Baum wrote:
> > My understanding is that name + DoB + place of birth together are
> > unique. Sometimes. In theory.
>
> Oh but that doesn't mean we should all add our DoB to our UIDs now.
> Remember that your Do
On 16 December 2011 18:50, Daniel Kahn Gillmor wrote:
> On 12/16/2011 10:51 AM, gn...@lists.grepular.com wrote:
>> I understand that once you've uploaded something to the keyservers, it
>> can't be removed. Eg, if I sign someone elses key and upload that, it
>> will be attached to their key perman
On 2011-12-19 10:31, Jerome Baum wrote:
> My understanding is that name + DoB + place of birth together are
> unique. Sometimes. In theory.
Oh but that doesn't mean we should all add our DoB to our UIDs now.
Remember that your DoB is actually secret and only your credit card
company is meant to kn
On 2011-12-18 23:40, MFPA wrote:
>> So are
>> certification policies that say (or don't say but
>> enforce anyway) that you must have an email on your
>> UID. Why refuse to certify _less_ information?
>
> Why indeed. My government won't issue a passport that doesn't include
> my date of birth. The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Sunday 18 December 2011 at 12:06:22 PM, in
, Werner Koch wrote:
> An interesting way to spam key owners. Not a big deal,
> it is easy to add a procmail rule to send them to the
> bit bucket.
I'd not considered the scenario of uploading mu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 4:58:28 PM, in
, Jerome Baum wrote:
> On 2011-12-17 17:04, MFPA wrote:
>> On Saturday 17 December 2011 at 3:25:56 PM, in
>> , Jerome Baum wrote:
>>> I doubt the validity of those automated checks and
>>> checks
On Sat, 17 Dec 2011 17:15, expires2...@ymail.com said:
> A key's UIDs don't *have to* contain email addresses. But in the case
> where they do, a verification email would be a useful addition. But
An interesting way to spam key owners. Not a big deal, it is easy to
add a procmail rule to send th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 16 December 2011 at 3:51:34 PM, in
, gn...@lists.grepular.com
wrote:
> I understand that once you've uploaded something to the
> keyservers, it can't be removed. Eg, if I sign someone
> elses key and upload that, it will be attached
On 2011-12-17 17:04, MFPA wrote:
> On Saturday 17 December 2011 at 3:25:56 PM, in
> , Jerome Baum wrote:
>> I doubt the validity of those automated checks and
>> checks on the email anyway. What constitutes "owning"
>> f...@example.com?
>
> As far as that server's checking is concerned, being able
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 4:34:23 PM, in
, Jerome Baum wrote:
> On 2011-12-17 16:42, Aaron Toponce wrote:
>> I guess Anonymous or LULZ Security, or the like, could do it out of sheer
>> entertainment, but it would die quickly, as the eff
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 16 December 2011 at 5:50:53 PM, in
, Daniel Kahn Gillmor wrote:
> well, there's the JBARSE key, which i vaguely recall
> having been created in a joking way to threaten
> character assassination, but i can't find any keys that
> it h
On 2011-12-17 17:15, MFPA wrote:
> Since you don't log into a keyserver when you post, and keyservers
> store data but do not perform cryptographic functions, this is pretty
> much inevitable. The "keyserver-no-modify" flag could, in theory,
> carry with it a requirement that modifications to a key
On 2011-12-17 16:42, Aaron Toponce wrote:
> I guess Anonymous or LULZ Security, or the like, could do it out of sheer
> entertainment, but it would die quickly, as the effort in maintaining the
> noise outweighs the benefit of annoying users by several orders of
> magnitude.
I think the point was
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 1:23:18 PM, in
, gn...@lists.grepular.com
wrote:
> I find it strange that the keyservers don't do any sort
> of email validation before accepting key submissions
A key's UIDs don't *have to* contain email addre
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 3:25:56 PM, in
, Jerome Baum wrote:
> I doubt the validity of those automated checks and
> checks on the email anyway. What constitutes "owning"
> f...@example.com?
As far as that server's checking is concerned
On Dec 17, 2011, at 10:25 AM, Jerome Baum wrote:
> On 2011-12-17 16:17, David Shaw wrote:
>> It's an interesting server, with different semantics than the
>> traditional keyserver net that we were talking about earlier. Most
>> significantly, it emails the keyholder (at the address on the key)
>>
On Fri, Dec 16, 2011 at 03:51:34PM +, gn...@lists.grepular.com wrote:
> I understand that once you've uploaded something to the keyservers, it
> can't be removed. Eg, if I sign someone elses key and upload that, it
> will be attached to their key permanently?
>
> What if someone were to generat
On 2011-12-17 16:17, David Shaw wrote:
> It's an interesting server, with different semantics than the
> traditional keyserver net that we were talking about earlier. Most
> significantly, it emails the keyholder (at the address on the key)
> before accepting the key into the server. It also sign
On Dec 17, 2011, at 8:23 AM, gn...@lists.grepular.com wrote:
> On 16/12/11 19:07, ved...@nym.hush.com wrote:
>
>> What if keyservers were to limit the amount of keys generated or
>> uploaded to a 'reasonable' amount which no 'real' user would
>> exceed?
>>
>> (i.e. 10/day, or some other number
I have uploaded my key to a keyserver at pgp.com: upload a key to their
keyserver requires a verification by e-mail. Every id (e-mailaddress) in
your key receives an e-mail. Respond to one of those e-mails (clicking
link) to verify you issued the key replacement. But when (one of) your
e-mail accou
On 17/12/11 13:33, Jerome Baum wrote:
>> I find it strange that the keyservers don't do any sort of email
>> validation before accepting key submissions and that they just allow
>> anyone to upload signatures for your key without verifying if you want
>> to allow them first.
>
> What about keys w
On 2011-12-17 14:58, gn...@lists.grepular.com wrote:
> So you agree that there is a point where putting security measures in
> place is a good idea. Where you disagree with me, is you think it is
> unlikely that the keyservers will be abused in this manner in the near
> future.
>
> I guess neither
On 2011-12-17 14:54, gn...@lists.grepular.com wrote:
>> What about keys without an email in the UID?
>
> For the first issue regarding uploading keys, you wouldn't be able to do
> email validation on a key that doesn't have an email address in the UID.
> At the same time, for those keys, you would
On 17/12/11 14:58, gn...@lists.grepular.com wrote:
> It would only take one troll.
Yet, so far so good (in general). And the infrastructure has existed for quite
some years already.
OpenPGP might never become popular enough to attract childish people to the
keyserver network :). I certainly hope
On 17/12/11 14:23, gn...@lists.grepular.com wrote:
> I find it strange that the keyservers don't do any sort of email
> validation before accepting key submissions and that they just allow
> anyone to upload signatures for your key without verifying if you want
> to allow them first.
The key prope
On 17/12/11 13:40, Jerome Baum wrote:
>> The system can be easily abused, therefore it will be abused. It's just
>> a matter of time. How much time, depends on if/when PGP becomes more
>> popular. It doesn't strike me as unreasonable to want to put defences in
>> place before an attack begins.
>
On 2011-12-17 14:29, gn...@lists.grepular.com wrote:
> The system can be easily abused, therefore it will be abused. It's just
> a matter of time. How much time, depends on if/when PGP becomes more
> popular. It doesn't strike me as unreasonable to want to put defences in
> place before an attack b
On 2011-12-17 14:23, gn...@lists.grepular.com wrote:
> I find it strange that the keyservers don't do any sort of email
> validation before accepting key submissions and that they just allow
> anyone to upload signatures for your key without verifying if you want
> to allow them first.
What about
eed upon by the
>> various keyservers?)
>
> What problem are we solving? Keyserver spam isn't an issue yet. We don't
> know if it will ever be.
The system can be easily abused, therefore it will be abused. It's just
a matter of time. How much time, depends on if/wh
On 16/12/11 19:07, ved...@nym.hush.com wrote:
> What if keyservers were to limit the amount of keys generated or
> uploaded to a 'reasonable' amount which no 'real' user would
> exceed?
>
> (i.e. 10/day, or some other number discussed and agreed upon by the
> various keyservers?)
You could st
y the
> various keyservers?)
What problem are we solving? Keyserver spam isn't an issue yet. We don't
know if it will ever be.
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
nameserver 217.79.186.148
nameserver 178.63.2
What if keyservers were to limit the amount of keys generated or
uploaded to a 'reasonable' amount which no 'real' user would
exceed?
(i.e. 10/day, or some other number discussed and agreed upon by the
various keyservers?)
vedaal
___
Gnupg-users m
On 16-12-2011 16:51, gn...@lists.grepular.com wrote:
> I understand that once you've uploaded something to the keyservers, it
> can't be removed. Eg, if I sign someone elses key and upload that, it
> will be attached to their key permanently?
Yes. Of course, you can remove it locally.
> What if
On Dec 16, 2011, at 10:51 AM, gn...@lists.grepular.com wrote:
> I understand that once you've uploaded something to the keyservers, it
> can't be removed. Eg, if I sign someone elses key and upload that, it
> will be attached to their key permanently?
Essentially, yes. Things are theoretically r
On 12/16/2011 10:51 AM, gn...@lists.grepular.com wrote:
> I understand that once you've uploaded something to the keyservers, it
> can't be removed. Eg, if I sign someone elses key and upload that, it
> will be attached to their key permanently?
yes, this is correct. :(
> What if someone were to
I understand that once you've uploaded something to the keyservers, it
can't be removed. Eg, if I sign someone elses key and upload that, it
will be attached to their key permanently?
What if someone were to generate say, 10,000 keypairs with "offensive"
uid names, and then sign my key with each o
> Interestingly enough, the first email I read this morning had a link to
> this:
>
>
http://tech.slashdot.org/story/10/06/12/2339209/Google-Tells-Congress-It-Disclosed-Wi-Fi-Sniffing
>
> And that is just the tip of the ice burg.
>
> --
> Jerry
OMG!! Google is stealing and archiving pictures of m
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, 12 Jun 2010 07:58:19 -0500
Sonja Michelle Lina Thomas articulated:
> > I would not trust Google with your data, far less mine. They have
> > all ready been accused of illegally pilfering through user data and
> > mining for user wireless info
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 12 June 2010 at 12:37:08 PM, in
, Jerry wrote:
> I would not trust Google with your data, far less mine.
The problem is that you never know if your contact will forward things
to a google account...
- --
Best regards
MFPA
Jerry wrote:
On Sat, 12 Jun 2010 06:22:47 -0500
Sonja Michelle Lina Thomas articulated:
I use gmail for my SMTP needs. I have accounts on a couple of unix
machines, yahoo, gmail, aim, my business hosted via godaddy and I
choose gmail as the default SMTP server for all of them. Works like a
ch
On Sat, 12 Jun 2010 08:39:00 -0400
Jean-David Beyer articulated:
> Yes, I did. They will not accept anything from my MTA even when I use
> the smarthost feature. I can use either their web site server (that I
> detest) or Firefox, but they will not allow sendmail even with
> smarthost.
Please
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> I would not trust Google with your data, far less mine. They have all
> ready been accused of illegally pilfering through user data and mining
> for user wireless information. I avoid them like the plague whenever
> possible.
Pffft, they can't get t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, 12 Jun 2010 06:22:47 -0500
Sonja Michelle Lina Thomas articulated:
> I use gmail for my SMTP needs. I have accounts on a couple of unix
> machines, yahoo, gmail, aim, my business hosted via godaddy and I
> choose gmail as the default SMTP se
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I use gmail for my SMTP needs. I have accounts on a couple of unix
machines, yahoo, gmail, aim, my business hosted via godaddy and I choose
gmail as the default SMTP server for all of them. Works like a charm.
http://lifehacker.com/66/how-to-use-g
MFPA wrote:
The Spamhaus PBL might very well list you.
76.185.38.113 is listed in the PBL
Mailservers using this blocklist would probably block mail from
you.
Of course, even Spamhaus's own website says the PBL is not a
blacklist and that you can remove your IP address from their list i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 11 June 2010 at 2:34:44 PM, in
, Mark H. Wood wrote:
> If there is such an RFC, it's rubbish;
I think there is no such RFC, just an assertion from a messaging
industry lobbying group that it's the "best" practice to block mail
from
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 11 June 2010 at 8:00:09 PM, in
, Jerry wrote:
> On Fri, 11 Jun 2010 11:18:05 -0500 John Clizbe
> articulated:
>> Mark H. Wood wrote: > On Thu, Jun 10, 2010 at
>> 05:57:50PM +0200, Joke de Buhr wrote: >> You do not
>> sacrifice legi
On Fri, 11 Jun 2010 11:18:05 -0500
John Clizbe articulated:
> Mark H. Wood wrote:
> > On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote:
> >> You do not sacrifice legitimate incoming mail because there is an
> >> RFC that clearly states mailservers do not operate from dynamic IP
> >>
f public keyservers that did not reveal email addresses. User
IDs could contain a hash of the email address. Applications querying
the keyservers could query for the hashed email address. Privacy would
be the main advantage to such a system; eliminating the possibility of
keyserver spam is a positive
Mark H. Wood wrote:
> On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote:
>> You do not sacrifice legitimate incoming mail because there is an RFC that
>> clearly states mailservers do not operate from dynamic IP addresses.
>> Therefore
>> they can not be considered valid.
>
> If ther
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 4:39:46 PM, in
, Hauke Laging
wrote:
> But that is the wrong argument. The correct argument is
> about the key server share of spam in a world in which
> nearly everyone has a public key. Of course, in that
> world
On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote:
> You do not sacrifice legitimate incoming mail because there is an RFC that
> clearly states mailservers do not operate from dynamic IP addresses.
> Therefore
> they can not be considered valid.
If there is such an RFC, it's rubbish
On Fri, 11 Jun 2010 09:15:56 +0200
Werner Koch articulated:
> On Fri, 11 Jun 2010 02:16, expires2...@ymail.com said:
>
> > delete them if they don't. Or one message to everybody with a
> > customised subject line for each. Alternatively, those of us who are
>
> That is a good idea. I was think
On Fri, 11 Jun 2010 02:16, expires2...@ymail.com said:
> delete them if they don't. Or one message to everybody with a
> customised subject line for each. Alternatively, those of us who are
That is a good idea. I was thinking of bisecting the mailing list to
make sure that test mails receive the
On 6/10/2010 8:16 PM, MFPA wrote:
> Whenever I post to this list these days I get one of their
> auto-replies, and they always spoof the from address to whatever I had
> in the "to" field of my message to the list.
[lots of discussion deleted]
I think it's safe to say the list moderators are now
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 6:04:37 PM, in
, Hauke Laging
wrote:
> Am Donnerstag 10 Juni 2010 18:39:25 schrieb Jameson
> Rollins:
>> Speaking of spam, I'm getting more spam from some sort of automated
>> ticketing system that seems to be subsc
On -10/01/37 20:59, Joke de Buhr wrote:
> You do not sacrifice legitimate incoming mail because there is an RFC that
> clearly states mailservers do not operate from dynamic IP addresses.
> Therefore
> they can not be considered valid.
Which RFC would this be?
I could not find the word "dynami
Am Donnerstag 10 Juni 2010 18:39:25 schrieb Jameson Rollins:
> Speaking of spam, I'm getting more spam from some sort of automated
> ticketing system that seems to be subscribed to this list that I ever
> have from a keyserver. The mail seems to come from:
>
> secure.mpcustomer.com
>
> and it of
Speaking of spam, I'm getting more spam from some sort of automated
ticketing system that seems to be subscribed to this list that I ever
have from a keyserver. The mail seems to come from:
secure.mpcustomer.com
and it often sets the From: to be from someone else. This is totally
uncool. Is th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 4:57:50 PM, in
, Joke de Buhr wrote:
> One of the addresses of my key is totally unprotected
> against spam. Nothing is blocked or scanned there. And
> it doesn't get any spam at all.
Fair enough.
> As far as I
On 06/10/2010 11:57 AM, Joke de Buhr wrote:
> You do not sacrifice legitimate incoming mail because there is an RFC that
> clearly states mailservers do not operate from dynamic IP addresses.
> Therefore
> they can not be considered valid.
Please cite this RFC. All IP addresses are "dynamic" i
On Thu, 10 Jun 2010 11:32:05 -0400, Daniel Kahn Gillmor
wrote:
> And i should probably add that it is indeed an infinitesimal drop in the
> bucket compared to the other spam i receive; i'm not concerned about it.
Not to mention that the bother of a couple of extra spams is completely
dwarfed by
On Thursday 10 June 2010 17:29:18 MFPA wrote:
> Hi
>
>
> On Thursday 10 June 2010 at 3:35:34 PM, in
>
> , Joke de Buhr wrote:
> > I've never gotten any keyserver related spam so far and
> > my public keys with a valid mail address were published
> > year ago.
>
> In order to *know* you have nev
Am Donnerstag 10 Juni 2010 16:00:18 schrieb David Shaw:
> Periodically there is a discussion on this list about whether having your
> key on a keyserver will result in more spam. My feeling on this is that
> you might get more spam, but it's a drop in the bucket compared to the
> usual onslaug
Hi Joke--
On 06/10/2010 11:22 AM, Joke de Buhr wrote:
> I never said this particular spam message was not caused by someone scanning
> the keyserver. I only stated it isn't that common and never happened to me.
>
> The chance someone harvesting your email address through keyserver scanning
> is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 3:35:34 PM, in
, Joke de Buhr wrote:
> I've never gotten any keyserver related spam so far and
> my public keys with a valid mail address were published
> year ago.
In order to *know* you have never received any ke
I never said this particular spam message was not caused by someone scanning
the keyserver. I only stated it isn't that common and never happened to me.
The chance someone harvesting your email address through keyserver scanning is
less common than harvesting archives of mailing lists.
Keyserve
> On Thursday 10 June 2010 16:00:18 David Shaw wrote:
>> Hi everyone,
>>
>> Periodically there is a discussion on this list about whether having your
>> key on a keyserver will result in more spam. My feeling on this is that
>> you might get more spam, but it's a drop in the bucket compared to th
I've never gotten any keyserver related spam so far and my public keys with a
valid mail address were published year ago.
I think it's more likely you will get spam because you are posting to a
mailing list which does have a html archive (liks this one).
If you want to get rid of most spam, jus
Hi everyone,
Periodically there is a discussion on this list about whether having your key
on a keyserver will result in more spam. My feeling on this is that you might
get more spam, but it's a drop in the bucket compared to the usual onslaught
that streams in daily.
That being said, I just
72 matches
Mail list logo
