[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

> From cmetzler@speakeasy.net Mon Aug  4 13:11:52 2003
> 
> On Mon, 4 Aug 2003 10:41:37 -0700
> Alan Connor <alanc@localhost> wrote:
> >
> > 
> > Funny. I know someone who has 2 of those PGP signatures things, neither
> > of which use his real name or stats.
> > 
> > He can prove that he is someone he isn't.
> 
> No, he can't.  That's not what a PGP signature is, does, or is for.
> 
> All a PGP signature on a piece of email (or any other document/file/
> whatever) tells you is:
> 
> 1.  That it's exceedingly likely that it was signed with a particular
> 	private key (and you can determine *which* private key, by
> 	comparing the signature to the public key generated by that
> 	private key);
> 
> 2.  That it's exceedingly likely that the document hasn't been altered
> 	since it was signed.
> 
> A PGP signature does *not* tell you that whoever used the private key
> to sign the message is really who they say they are.  If a public and
> private key is apparently associated with a user named "Humpty T.
> Dumpty," there's no guarantee that that person exists, or that that's
> really the identity of the person holding that private key.  That's up
> to the recipient to decide, through setting a confidence level to the
> key.  However, keysigning, and the resulting so-called "web of trust,"
> can make this easier.
> 
> You might want to read about PGP, and public key infrastructures, a bit
> more.
> 
> http://web.bham.ac.uk/N.M.Queen/pgp/pgp.html
> http://www.desktoplinux.com/articles/AT3341468184.html
> 
> -c
> 
> 
> 

Thanks Chris. Still doesn't make sense to me and I am seriously considering
writing a stanza in my newsreaders filters that will dump any posts with
PGP sigs.

1) Neither I nor anyone I know cares if you are who you say you are or not.
   ( In fact, someone could forge your PGP sig  because most people don't
     have the software, and do you MORE harm that way. How would you prove
     which of  two nearly simultaneous posts with the EXACT same PGP sig on them
     was the real one. )



2) They are a an extreme violation of netiquette


3) They are a waste of bandwidth on several levels

4) They make posts hard to read and ugly.



Alan



-- 
      For Linux/Bash users: Eliminate spam with the Mailbox-Sentry-Program. 
         See: http://tinyurl.com/inpd  for the scripts and docs.
Reply to: