Ailbhe --
...and then Ailbhe Leamy said...
% On (14/09/01 15:00), David T-G wrote:
%
% > ...and then Ailbhe Leamy said...
% % On (14/09/01 09:41), David T-G wrote:
% [attribs snipped, because it's basically a David-Ailbhe-David
% discussion so far]
Oh, but that's where the fun comes in! :-)
%
% % Having a valid From: address is hardly the same as adding a
% % pgp-signature to things.
% %
% % Having a sigfile doesn't seem like the same thing to me, either.
%
% > I accept both of those points. I also reserve the right to draw the
% > "same thing" line anywhere I please.
%
% I understand that. I was kind of hoping you could explain to me why you
% seem to think that they _are_ the same thing. For some reason I'm
Sure. Think of the line as a linear equation, much like x=y. On the low
end of the graph you have someone who perhaps signs his name at the bottom
of his post but has an anonymous address like "[EMAIL PROTECTED]"
or such, or one who [perhaps] has some nameless address and doesn't fill
in a name. In the middle you have someone who has realistic contact
information in his email. On the high side you have someone who not
only provides a name (more in a moment) but also provides a mechanism for
not only ensuring that the post came from him but also which you might,
through the WoT, be able to believe to be a real person.
This, as it stands, certainly isn't perfect as a means of identification,
but that's not my goal. I have created the persona [EMAIL PROTECTED],
and will later connect that to [EMAIL PROTECTED], but neither of
those is guaranteed to tell you anything about David Thorburn-Gundlach.
I have also created the persona [EMAIL PROTECTED] for my work as the
Keeper of the Light Bulb Joke List, and it doesn't have to be related to
davidtg@bigfoot even if I'm the same physical natural person.
% assuming that you haven't drawn a line arbitrarily based on the colour
% of the dirt on your shoes, or something.
Nope :-)
%
% > Why use PGP/GPG? Because it should be mainstream and available
% > to all, it should be easy to use and familiar to all, and private
% > communication should be both avaiable and commonplace rather than
% > challenging and noteworthy.
%
% OK, all of this I understand. I completely fail to understand why it
% should apply to public communication, as distinct from private
% communication.
1) What I say publicly should be verifiable as coming from me, or perhaps
that should be stated as it should be clear that something publicly
stated in my name that didn't come from me if fact did not.
2) By using PGP in public communication I reach the greater masses and,
even if it's when people ask "hey, what's this .att thing on your mail?",
spread the word about PGP.
%
% > % In what way is it useful to pgp-sign or encrypt a mail that is for
% >
% > I can't think of a time I'd encrypt a mail to a mailing list, since I
% > don't know of any encryption-aware mailing list servers (though such
% > things have been discussed even here).
%
% Oh good.
Do I detect a note of relief? :-) C'mon, a note encrypted to 140 people
wouldn't be *that* big!
%
...
% > still appreciated -- who wondered why my messages kept saying "bad
% > signature" and eventually tracked down to an added space and newline,
% > IIRC).
%
% All of these are good reasons, and I understand that if in the past you
% have been a victim of malicious forgery, or anything else, you'd want
% to make sure it couldn't happen again. But I don't see how pgp-signing
% things to a public mailing list ensures that.
Why should I wait until something happens before wanting to ensure that
it can't happen? By signing *everything* I send I increase the
understanding that anything I don't sign probably didn't come from me.
%
% > % distribution to a mailing list? You are aware of the fact that there
% > % are archives?
% >
% > Yes. I must admit that I don't see your point here, though.
%
% Well, if I read your mail using a browser to access the archives, I
% absolutely cannot verify whether your pgp signature is good, bad, or
% yellow.
So I now understand. I must respond "your loss", since the message was
signed when I sent it.
If your point is that, since the archives toss the signature, I should
dispense with signing, I heartily disagree.
%
% > % OK. That's really useful. I see this. Er. Where's your public
% > % key? And
% >
% > At the moment I'm in transition, so you'll not find a public key for
% > [EMAIL PROTECTED] out there; sorry about that, but you can find
% > it if you look for [EMAIL PROTECTED] and messages sent there will
% > get to me. You can, however, find my key on the public key servers as
% > well as at my web site; just ask.
%
% Well, since every message you send is pgp-signed, having your public
You can obtain it by searching for the key ID instead of the email
address, or by dropping me a note directly (and you can verify the key
you get back, now that you'll have the additional information, with the
public servers). It's not that it doesn't exist.
% key would be useful, I think. Though admittedly a valid public key for
% the address you actually use would be best.
Yup; I'm workin' on it.
%
% > % how do I verify that it _is_ your public key? If I can't, what
% > % possible use could it be?
% >
% > It's a start. I haven't been to any signing parties, I admit, but
% > there are those who have bothered to contact me directly and exchange
% > keys.
%
% Well, it's probably because I know too many people too interested in
% security, but I'd not trust your key to prove anything unless we
% exchanged keys face to face, and even then I wouldn't trust it much
% unless it had been signed by people I know and trust. I don't know you,
I think that that's a healthy attitude, and one to maintain when dealing
with particularly sensitive matters.
% I therefore don't trust you, and I don't trust your public key. All it
% proves to me is that your messages are probably consistently being sent
% by the same person.
That's a start, though; imagine a forged message -- which you can with
fair certainty determine did not come from that same person.
%
% > % > Here, of all places, it should be no biggie; mutt can handle
...
%
% > % I repeat: archives?
% > % http://groups.yahoo.com/group/mutt-users/message/21394
% >
% > Looks fine to me. I still don't see your point. You can't be arguing
...
% > what? I have no particular interest in the archives and can't help
% > that the signature is stripped.").
%
% Um. Does "I have no particular interest in the archives" translate to
% "I have no particular interest in the people who read the list
% primarily through the archives"? or am I missing some small but vital
No, I meant "I have no financial involvement or controlling ability"
(though I might, through something such as a letter-writing campaign,
have some influence just like anyone else); their decision to strip
the signatures (what about attached files, I wonder -- can you download
patches through the archives, for instance?) is outside of my scope.
% point? Is it ok if I send pgp-signed mail under your name to the
% archives, because anyone reading it will assume it's from you, but
% they're not important enough to make you worry?
From my brief perusal it appears that whether you sign it or not makes
no difference, but you certainly can't sign it with my key (I hope :-)
and so something appearing in the archives without correct validation is
as suspect as an unsigned message on the mailing list.
Are the people who peruse the archives important? Sure they are, just
like anyone else. My personal feeling is that I prefer the mailing list
(probably any mailing list over any web site, though I know it seems that
I'm one of a dying breed), so I certainly admit that mailing list readers
are "more important" to me than archive browsers. More to the point,
though, the archive is populated by the mailing list and then chooses
to throw away certain information, so I don't consider its contents
as valid as the original messages. Conversely, a web-based discussion
group whose content is generated at the web site would be the "canonical"
authority regarding metadata concerning a post, and I would hope that
there would be a way to search the logs to determine from where a certain
posting was made, and then further search that IP address's site's logs,
etc etc -- and if, as in the case of at least one group/list of which I
know (since I participate), mailing list traffic is somehow generated
from that web site I would consider it less valuable, particularly if
it discarded information previously available.
It is for that reason that I'm not terribly worried that archive browsers
don't see my signature (not my fault), can't verify who sent the original
message (I provided that, but ...), or even aren't on the mailing list
(their loss, IMHO).
%
% > Thanks for the discussion. I'm happy to continue, since I feel that
% > I have a position that can be logically defended, but I don't have to
% > and certainly don't have to on the list to the borement of most or
% > all. I welcome your reply.
%
% I'm very interested in your defence of your position. I know quite well
I hope this continues to be interesting.
% that you are under no obligation to continue this discussion (though my
% hit team will be on your doorstep if you don't! Mwahahahahaha! er,
*grin*
% sorry), and I haven't seen anyone else complain that we're boring
% them... though if I get more than one such remark, whether on list or
% off, I promise I'll take it to private mail.
Fine with me either way :-)
%
% Fascinated,
%
% Ailbhe
%
% --
% Homepage: http://ailbhe.ossifrage.net/
:-D
--
David T-G * It's easier to fight for one's principles
(play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie
(work) [EMAIL PROTECTED]
http://www.justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
PGP signature
