On (14/09/01 15:00), David T-G wrote:
> ...and then Ailbhe Leamy said...
% On (14/09/01 09:41), David T-G wrote:
[attribs snipped, because it's basically a David-Ailbhe-David
discussion so far]
% Having a valid From: address is hardly the same as adding a
% pgp-signature to things.
%
% Having a sigfile doesn't seem like the same thing to me, either.
> I accept both of those points. I also reserve the right to draw the
> "same thing" line anywhere I please.
I understand that. I was kind of hoping you could explain to me why you
seem to think that they _are_ the same thing. For some reason I'm
assuming that you haven't drawn a line arbitrarily based on the colour
of the dirt on your shoes, or something.
> % > It is my not-so-humble opinion that everyone everywhere should be
> % Yes, but _why_?
>
> Why use PGP/GPG? Because it should be mainstream and available
> to all, it should be easy to use and familiar to all, and private
> communication should be both avaiable and commonplace rather than
> challenging and noteworthy.
OK, all of this I understand. I completely fail to understand why it
should apply to public communication, as distinct from private
communication.
> % In what way is it useful to pgp-sign or encrypt a mail that is for
>
> I can't think of a time I'd encrypt a mail to a mailing list, since I
> don't know of any encryption-aware mailing list servers (though such
> things have been discussed even here).
Oh good.
> It's useful to sign a message
> so that others can confirm that the message came from me as they see
> it -- whether because I am concerned about forgery, concerned about
> a patch or piece of code being maliciously modified, or concerned
> about my messages being accidentally munged in transmission (found
> on this list only a month or two ago and bought to my attention by
> a guy -- whose name I have now forgotten but whose attention is
> still appreciated -- who wondered why my messages kept saying "bad
> signature" and eventually tracked down to an added space and newline,
> IIRC).
All of these are good reasons, and I understand that if in the past you
have been a victim of malicious forgery, or anything else, you'd want
to make sure it couldn't happen again. But I don't see how pgp-signing
things to a public mailing list ensures that.
> % distribution to a mailing list? You are aware of the fact that there
> % are archives?
>
> Yes. I must admit that I don't see your point here, though.
Well, if I read your mail using a browser to access the archives, I
absolutely cannot verify whether your pgp signature is good, bad, or
yellow.
> % > Everything I can do to encourage such behavior and raise
> % > everyone's awareness is thus a good thing. Since I don't often
> % > have to post anonymously (though I generally don't have a problem
> % > with those who do), I can sign everything.
> %
> % OK. That's really useful. I see this. Er. Where's your public
> % key? And
>
> At the moment I'm in transition, so you'll not find a public key for
> [EMAIL PROTECTED] out there; sorry about that, but you can find
> it if you look for [EMAIL PROTECTED] and messages sent there will
> get to me. You can, however, find my key on the public key servers as
> well as at my web site; just ask.
Well, since every message you send is pgp-signed, having your public
key would be useful, I think. Though admittedly a valid public key for
the address you actually use would be best.
> % how do I verify that it _is_ your public key? If I can't, what
> % possible use could it be?
>
> It's a start. I haven't been to any signing parties, I admit, but
> there are those who have bothered to contact me directly and exchange
> keys.
Well, it's probably because I know too many people too interested in
security, but I'd not trust your key to prove anything unless we
exchanged keys face to face, and even then I wouldn't trust it much
unless it had been signed by people I know and trust. I don't know you,
I therefore don't trust you, and I don't trust your public key. All it
proves to me is that your messages are probably consistently being sent
by the same person.
> % > Here, of all places, it should be no biggie; mutt can handle
> % > GPG/PGP with ease, and procmail/formail could strip out the
> % > signature entirely, and this is the group that would know how to
> % > do it.
> % I repeat: archives?
> % http://groups.yahoo.com/group/mutt-users/message/21394
>
> Looks fine to me. I still don't see your point. You can't be arguing
> that I shouldn't sign my messages because the archive server can't
> read 'em, and I can't imagine that you'd argue that signing is useless
> because the archive doesn't retain it (but if you are my answer is "So
> what? I have no particular interest in the archives and can't help
> that the signature is stripped.").
Um. Does "I have no particular interest in the archives" translate to
"I have no particular interest in the people who read the list
primarily through the archives"? or am I missing some small but vital
point? Is it ok if I send pgp-signed mail under your name to the
archives, because anyone reading it will assume it's from you, but
they're not important enough to make you worry?
> Thanks for the discussion. I'm happy to continue, since I feel that
> I have a position that can be logically defended, but I don't have to
> and certainly don't have to on the list to the borement of most or
> all. I welcome your reply.
I'm very interested in your defence of your position. I know quite well
that you are under no obligation to continue this discussion (though my
hit team will be on your doorstep if you don't! Mwahahahahaha! er,
sorry), and I haven't seen anyone else complain that we're boring
them... though if I get more than one such remark, whether on list or
off, I promise I'll take it to private mail.
Fascinated,
Ailbhe
--
Homepage: http://ailbhe.ossifrage.net/
