On 3/05/14 11:32 AM, Robert J. Hansen wrote:
>
> Seems perfectly reasonable for me for the company to issue a
> signature on a purchase order using your *corporate-owned*,
> *corporate-controlled* certificate, which was always issued for the
> needs of the corporation.
>
> Just because a certific
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am 05.05.2014 12:55, schrieb Robert J. Hansen:
>
>> This is, again, rhetoric and not an argument. I explained that
>> before.
>
> As I explained, you are choosing not to recognize the argument.
>
You honestly seem to think that "We are doing $A, s
> So, let's make an insecure system instead of maybe changing the law?
Feel free to push for it. Optimistically, you might be able to get it
done in five years. And in the interim time, you need to have a method
to deal with the world as it is, because the world doesn't care what you
think it sh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am 04.05.2014 12:52, schrieb Robert J. Hansen:
>> No, there are no good reasons.
>
> If that's an axiom in your system, then so be it. But let's not
> go about thinking that's something you've deduced from principles.
>
Well I haven't heard any so
Il 04/05/2014 14:43, Robert J. Hansen ha scritto:
> Because the law says the document must bear the President's signature,
> not that of a functionary acting on the President's direction.
Just 'cause the law lays *way* behind technology: when it was created,
they couldn't think of "autosign" machi
> So why not just follow the standard practice of the trusted secretary
> signing the document himself and annotating it was signed for and on
> behalf of his boss?
Because the law says the document must bear the President's signature,
not that of a functionary acting on the President's direction.
> If the President's real signature on a copy of the document is not
> deemed acceptable, it seems pretty crazy to accept a machine-generated
> copy of the President's signature known to have been applied by a
> third party. But c'est la vie.
Welcome to government, where "pretty crazy" is about th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Sunday 4 May 2014 at 9:30:23 AM, in
, Robert J. Hansen wrote:
> The autopen is a machine that replicates a physical
> signature.
Sounds like an updated version of the rubber-stamp signatures that
used to be on some company cheques and othe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Sunday 4 May 2014 at 11:52:36 AM, in
, Robert J. Hansen wrote:
> Under United States law, for a piece of legislation to
> take effect the President must affix his signature to
> the *exact same piece of paper* that the House and
> Senate af
> No, there are no good reasons.
If that's an axiom in your system, then so be it. But let's not go
about thinking that's something you've deduced from principles.
> There is no technical problem to give different signers the same
> rights to make certain signatures but make it comprehensible wh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am 04.05.2014 10:30, schrieb Robert J. Hansen:
>
> Are there good business reasons for third party escrow of signing
> keys? Quite probably. If you can think of a situation where an
> autopen is appropriate, whether in business or in government,
>
> That practice is the same as asking you to sign blank sheets of paper so
> they can later write on them what they like.
The better comparison is to the autopen. And if that's good enough for
President Obama...
The autopen is a machine that replicates a physical signature. That's
pretty much a
Il 03/05/2014 05:01, Robert J. Hansen ha scritto:
> And regardless of whether it's a good practice or a bad one, I've worked
> in businesses that have done exactly this -- so it's a real-world
> example that demonstrates the occasional need for a third party to
> possess signing keys.
That practic
> Personally, I would prefer not to discriminate against black people,
> for reasons that have already been expressed on the list. But if
> there's a corporate policy that says I have to, then that's the way
> you play the game.
In which case, the proper response is to say "I quit." That's a simp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am 03.05.2014 05:01, schrieb Robert J. Hansen:>
> And regardless of whether it's a good practice or a bad one, I've
> worked in businesses that have done exactly this -- so it's a
> real-world example that demonstrates the occasional need for a
> thi
> So i mean, sure, i can definitely imagine a company doing it the way you
> describe. I just don't think it's a good business practice.
Unfortunately, the world doesn't much care what we think of as good
business practices. And why should they? We're nerds -- we understand
technology, perhaps,
On 05/02/2014 09:32 PM, Robert J. Hansen wrote:
>> However, i see *no* legitimate need for any employer to be able to
>> forge data signatures or identity certifications from your
>> work-related key. escrow only make sense for encryption-capable
>> keys in limited contexts.
>
> Imagine this: you'
> However, i see *no* legitimate need for any employer to be able to
> forge data signatures or identity certifications from your
> work-related key. escrow only make sense for encryption-capable
> keys in limited contexts.
Imagine this: you're a purchasing agent at Yoyodyne. You've established
W
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 02-05-2014 18:18, Daniel Kahn Gillmor escribió:
> On 05/02/2014 06:03 PM, Faramir wrote:
>> El 28-04-2014 14:35, Daniel Kahn Gillmor escribió: ...
>>> But I also want to point out that some employers may have a
>>> legitimate need (even a legal c
On 05/02/2014 06:03 PM, Faramir wrote:
> El 28-04-2014 14:35, Daniel Kahn Gillmor escribió:
> ...
>> But I also want to point out that some employers may have a
>> legitimate need (even a legal compulsion) to be able to decrypt
>> communications coming to your work-related e-mail. One reasonable
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 28-04-2014 14:35, Daniel Kahn Gillmor escribió:
...
> But I also want to point out that some employers may have a
> legitimate need (even a legal compulsion) to be able to decrypt
> communications coming to your work-related e-mail. One reasonabl
On 04/26/2014 06:21 PM, John Sockwell wrote:
> I’m looking for best practices in creating and managing multiple subkeys and
> uids.
>
> In my scenario, I have a personal computer and personal email address. In
> addition, I have an employer provided computer and employer email address.
>
> I’d
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Monday 28 April 2014 at 4:10:31 PM, in
, Mike Cardwell wrote:
> Many companies also make you wear a suit and tie and
> use Internet Explorer 7. I do not work for these
> companies.
Fair enough. I was just pointing out to the OP that the s
* on the Mon, Apr 28, 2014 at 02:40:29PM +0100, MFPA wrote:
>> I solve this problem using an OpenPGP smart card. My
>> PGP key never touches my work machine, so I never have
>> to worry about it being compromised.
>
> Many employers would not allow you to plug in hardware, so you
> couldn't use a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Sunday 27 April 2014 at 11:11:00 AM, in
, Mike Cardwell wrote:
> I solve this problem using an OpenPGP smart card. My
> PGP key never touches my work machine, so I never have
> to worry about it being compromised.
Many employers would not
* on the Sat, Apr 26, 2014 at 10:21:42PM +, John Sockwell wrote:
> I'm looking for best practices in creating and managing multiple
> subkeys and uids.
>
> In my scenario, I have a personal computer and personal email address.
> In addition, I have an employer provided computer and employer
>
I’m looking for best practices in creating and managing multiple subkeys and
uids.
In my scenario, I have a personal computer and personal email address. In
addition, I have an employer provided computer and employer email address.
I’d like to create a key architecture where if I’m ever compell
27 matches
Mail list logo
