David Shaw wrote:
> You always have the option to not sign, of course. But you don't get
> to tell the keyholder what information he puts in his user ID string.
> You don't create that, and it must be signed completely or not signed
> at all.
Of course it is not possible to tell the key holder wh
On Thu, Oct 27, 2005 at 11:45:09AM -0500, Alex Mauer wrote:
> > You don't. But it's not up to you as the signer - it's up to the key
> > holder to say how he wants to be known.
>
> Not really. It's up to me as the signer to affirm how I know the key
> holder. Or not sign at all if I can't veri
David Shaw wrote:
> Because they're not joined together it is not a real disambiguation.
> With two UIDs, it is possible for someone to remove one without
> affecting the other.
OK ... and what would that gain them?
> We've established that people are sometimes
> unwilling to sign "David Shaw"
On Wed, Oct 26, 2005 at 12:26:31PM -0500, Alex Mauer wrote:
> David Shaw wrote:
>
> >>>Some people
> >>>will not sign such a user ID though,
> >
> > It's not an issue of improving the trust, it's an issue of
> > disambiguation.
>
> Right, so why is it any better to have a key with:
> 0x992425
>>
>> I don't understand why. If you trust the association of the Name and
>> key, how/why would having an email address in there as well improve
>> the
>> trust?
>
>It's not an issue of improving the trust, it's an issue of
>disambiguation. In my case, there are many different David Shaws out
>
Ismael Valladolid Torres wanted us to know:
>Joost van Baal wrote:
>
>>On Tue, Oct 25, 2005 at 11:38:49PM -0400, David Shaw wrote:
>>>It's not an issue of improving the trust, it's an issue of
>>>disambiguation. In my case, there are many different David Shaws out
>>>there, including a furniture
Neil Williams wrote:
No, because you've separated the two - there has to be a reason to do this and
therefore you are implying that there is a difference between the two UID's.
There is. It is nearly impossible to verify with complete certainty
that the person you meet is in fact able to acc
On Wed, Oct 26, 2005 at 08:01:15PM +0100, Neil Williams wrote:
>
> I wouldn't sign the email only one because an email address can be accessible
> to more than one person. If I'm encrypting to this key, I want to know to
> WHOM I am writing.
>
In some cases you can't to WHOM you are writing. Wh
On Wednesday 26 October 2005 6:26 pm, Alex Mauer wrote:
> Right, so why is it any better to have a key with:
> 0x99242560 David Shaw <[EMAIL PROTECTED]>
>
> than to have
> 0x99242560 David Shaw
> 0x99242560 [EMAIL PROTECTED]
> (two UIDs)
>
> You still have the same level of disambiguation.
No, bec
David Shaw wrote:
>>>Some people
>>>will not sign such a user ID though,
>
> It's not an issue of improving the trust, it's an issue of
> disambiguation.
Right, so why is it any better to have a key with:
0x99242560 David Shaw <[EMAIL PROTECTED]>
than to have
0x99242560 David Shaw
0x99242560
Joost van Baal wrote:
On Tue, Oct 25, 2005 at 11:38:49PM -0400, David Shaw wrote:
It's not an issue of improving the trust, it's an issue of
disambiguation. In my case, there are many different David Shaws out
there, including a furniture designer in New Zealand, a Pulitzer prize
winning journ
On Tue, Oct 25, 2005 at 11:38:49PM -0400, David Shaw wrote:
> On Tue, Oct 25, 2005 at 08:50:11PM -0500, Alex Mauer wrote:
> > David Shaw wrote:
> > >Some people (myself included) check both before signing. The name via
> > >some sort of formal ID, and the email via a mail challenge.
> >
> > As do
On Tue, Oct 25, 2005 at 08:50:11PM -0500, Alex Mauer wrote:
> David Shaw wrote:
> >Some people (myself included) check both before signing. The name via
> >some sort of formal ID, and the email via a mail challenge.
>
> As do I, at least for a level 3 signature.
>
> >Still, if you don't want to
David Shaw wrote:
Some people (myself included) check both before signing. The name via
some sort of formal ID, and the email via a mail challenge.
As do I, at least for a level 3 signature.
Still, if you don't want to bind both tokens together, just create an
user ID of <[EMAIL PROTECTED]>
On Tue, Oct 25, 2005 at 06:22:10PM -0500, Alex Mauer wrote:
> David Shaw wrote:
> > On Mon, Oct 24, 2005 at 04:21:32PM -0500, Alex Mauer wrote:
> >
> >
> > I don't agree with this. The user ID system in all OpenPGP products
> > gives a regular UTF-8 string. Signatures simply bind that string to
David Shaw wrote:
> On Mon, Oct 24, 2005 at 04:21:32PM -0500, Alex Mauer wrote:
>
>
> I don't agree with this. The user ID system in all OpenPGP products
> gives a regular UTF-8 string. Signatures simply bind that string to
> the primary key. The system says exactly "Alex Mauer belongs with ke
On Mon, Oct 24, 2005 at 04:21:32PM -0500, Alex Mauer wrote:
> The UID format is also problematic IMO. GPG (OpenPGP?) strongly
> "wants" to have a Name and an email address for each UID. I think
> that this puts emphasis in a bad place, leading people to be signing
> the fact that e.g. "Alex Maue
[EMAIL PROTECTED] wrote:
>
> And the final 'objection' is more of a philosophical one: what is IDENTITY?
> If I know a person only by email, then that email *is* the person to me.
> And I know many people just by email and we are probably never going to
> meet IRL, except for some strange coincid
If anything needs to change it is that the documentation
I can more and more see that thanks to everybody's willingness on
this list to explain.
That is exactly my point, NOBODY should rely on ANY of that
information to
identify a key. The only identifier for a key is the fingerprint.
B. Kuestner wrote:
Coming as a newbie to all of this, I'd say there's a long way to go
until this whole thing is ready for my Mom to use it. And I think
that's what we eventually want to do, right? That encrypted messaging
becomes the norm, not the exception.
Public key systems that atte
I suggest that you seriously check our Big Lumber at www.biglumber.com
Thanks John. I will.
Regarding my personal web of trust: I get a clearer picture now and
for starter I'll exchange keys directly with my friends.
As for the "unwanted keys" for my e-mail address. At least for now I
kn
Am I missing something?
The web of trust. (And the documentation, apparently.)
Okay. I got that by now. I think the problem was that MacGPG makes it
really easy to get started with GPG:
There's a plug-in that integrates nicely with Apple's Mail. And the
Keychain Assistant let's
Am I missing something?
The web of trust. (And the documentation, apparently.)
Okay. I got that by now. I think the problem was that MacGPG makes it
really easy to get started with GPG:
There's a plug-in that integrates nicely with Apple's Mail. And the
Keychain Assistant let's you
On Sun, Oct 23, 2005 at 12:41:45PM -0700, Doug Barton wrote:
> David Shaw wrote:
> > On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote:
>
> >>That's not the only reason though. The PGP Global Keyserver is dangerous, as
> >>well as a nuisance, for a number of reasons. As it only shows one
David Shaw wrote:
> On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote:
>>That's not the only reason though. The PGP Global Keyserver is dangerous, as
>>well as a nuisance, for a number of reasons. As it only shows one key on a
>>search for a users name, it might cause people to miss a rev
On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote:
> > Some people do not like this server as it does email address
> > verification (via sending a mail to the email address on the key, if
> > any), and then signs the key. These signatures are reissued every 2
> > weeks or so if people k
David Shaw wrote:
> On Sat, Oct 22, 2005 at 06:26:51PM +0200, B. Kuestner wrote:
>
>> all: Joe Smith has no way of fixing the situation, even if he is
>> legitimate owner of the [EMAIL PROTECTED] e-mail address.
>>
>> It strikes me, that GNU-supporters would bash MS (or for that reason
>> a
On Sunday 23 October 2005 5:49 am, Alphax wrote:
> Neil Williams wrote:
> > The only solution to that is to get more
> > keysigning done.
>
> And to get more people using OpenPGP. Does anyone have a document called
> (eg.) "Why you should use OpenPGP" or similar? I've read the GNU Privacy
> Handbo
On Sat, Oct 22, 2005 at 06:26:51PM +0200, B. Kuestner wrote:
> all: Joe Smith has no way of fixing the situation, even if he is
> legitimate owner of the [EMAIL PROTECTED] e-mail address.
>
> It strikes me, that GNU-supporters would bash MS (or for that reason
> any vendor of proprietary soft
Albert Reiner wrote:
P.S.: A slightly less inflammatory tone would not have harmed either.
The tone of "How come King's bum is bare!?" was, no doubt,
considered inflammatory by the Court.
cdr
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http
On Sunday 23 October 2005 8:15 am, [EMAIL PROTECTED] wrote:
> On Sat, Oct 22, 2005 at 10:14:58PM +0100, Neil Williams wrote:
> > ? That key has NO signatures other than yourself! There's no way anyone
> > can trust it. There are NO paths.
>
> It does, look at:
> http://pks.aaiedu.hr:11371/pks/looku
[EMAIL PROTECTED] wrote:
>> If you want a formalised external method of identity verification, consider
>> using x.509 and people like Thawte will provide an alternative to GnuPG's
>> personal (face-to-face) methods.
>>
> Actually, at one point in time I did think about getting myself a "real"
On Sat, Oct 22, 2005 at 11:12:01PM +0200, markus reichelt wrote:
>
> http://bitfalle.org/keys/gpg-key-signing-policy.php
>
I don't feel like reading the GNU documentation license, so a short
question: may I reuse and adapt this text to my own needs? [I'll give
you a proper credit]
>
> imagine y
On Sat, Oct 22, 2005 at 10:14:58PM +0100, Neil Williams wrote:
>
> ? That key has NO signatures other than yourself! There's no way anyone can
> trust it. There are NO paths.
>
It does, look at:
http://pks.aaiedu.hr:11371/pks/lookup?op=vindex&search=0x16DA1F1690887E13
http://pks.aaiedu.hr:11371/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Neil Williams wrote:
> As I said, you can verify my key via someone else. Once your key is in the
> "strong set" this becomes a lot easier. I regularly come across keys used on
> this list that are instantly verified by the web of trust.
>
> The
Neil Williams wrote:
> As I said, you can verify my key via someone else. Once your key is in the
> "strong set" this becomes a lot easier. I regularly come across keys used on
> this list that are instantly verified by the web of trust.
>
> The web of trust is scalable - you just need the oppo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
And, of course I read this with Enigmail telling me that I received an
"UNTRUSTED, Good Signature" from you. Of course, I could slap a "Local
Sig" on your Key, but I prefer letting the Blue stripes remind me that
we haven't met, nor have our Keys "b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Neil Williams wrote:
> On Saturday 22 October 2005 9:20 pm, [EMAIL PROTECTED] wrote:
>
>>2. WoT is problematic in that it is very sparse.
>
>
> In certain areas, maybe. The only solution to that is to get more keysigning
> done.
>
And to get m
On Saturday 22 October 2005 10:14 pm, Neil Williams wrote:
> I have not met everyone I can trust via the web of trust. From David's
> stats, I have 20 or so signatures that link within the main set and I can
> trust some 1400 keys that way.
Sorry, that should be Jason's stats, not David's.
Look
On Saturday 22 October 2005 9:20 pm, [EMAIL PROTECTED] wrote:
> > The web of trust enables such verification - if you can't meet me in
> > person, you can verify my key by having your key signed by someone who
> > has met me (there are lots).
> >
> > Until that happens, you have no way of trusting
* [EMAIL PROTECTED] wrote:
> On Sat, Oct 22, 2005 at 07:31:54PM +0100, Neil Williams wrote:
> >
> > That is exactly my point, NOBODY should rely on ANY of that information to
> > identify a key. The only identifier for a key is the fingerprint. You MUST
> > verify the fingerprint with the perso
On Sat, Oct 22, 2005 at 07:31:54PM +0100, Neil Williams wrote:
>
> That is exactly my point, NOBODY should rely on ANY of that information to
> identify a key. The only identifier for a key is the fingerprint. You MUST
> verify the fingerprint with the person and only then can you be sure that t
On Saturday 22 October 2005 5:26 pm, B. Kuestner wrote:
> Wow, is it just me or does anybody else consider this a major design
> flaw of the whole setup?
It is actually a component of one of the major strengths - the web of trust.
1. It is made perfectly clear that you are the sole protector of y
["B. Kuestner" <[EMAIL PROTECTED]>, Sat, 22 Oct 2005 18:26:51 +0200]:
> Am I missing something?
The web of trust. (And the documentation, apparently.)
Either you personally verify the key with your recipient (in which
case you know which key is the right one), or (slightly simplifying)
you choos
Thanks David.
I understand that technically there is no software command that I
could send off anywhere that could fix the situation, right?
If you don't have the private key, then yes, right. There is nothing
you can do about it.
I feared so after I read up on all this stuff.
Wow, is it j
On Fri, Oct 21, 2005 at 11:47:06PM +0200, B. Kuestner wrote:
> I'm still in the process of learning how to use GPG for signing and
> encrypting messages. I use MacGPG on, you guessed it, OS X.
>
> The interface of the GPG Keychain app makes it really easy to do some
> powerful stuff. And you k
I'm still in the process of learning how to use GPG for signing and
encrypting messages. I use MacGPG on, you guessed it, OS X.
The interface of the GPG Keychain app makes it really easy to do some
powerful stuff. And you know how it is, if powerful stuff is put in
the hands of ignorant peo
47 matches
Mail list logo
