On Mon, Aug 04, 2003 at 01:18:18PM -0700, Alan Connor wrote: > > From cmetzler@speakeasy.net Mon Aug 4 13:11:52 2003 > > On Mon, 4 Aug 2003 10:41:37 -0700 Alan Connor <alanc@localhost> wrote: > Thanks Chris. Still doesn't make sense to me and I am seriously considering > writing a stanza in my newsreaders filters that will dump any posts with > PGP sigs. > > 1) Neither I nor anyone I know cares if you are who you say you are or not. And you have already been informed that this is *not* the purpose of PGP. It verifies that all the messages signed with a certain key come from the holder of that key. A little example: Without PGP, a spammer harvests my address somewhere and sends spam to the list with me listed as the From address. I'm going to have a hell of a time proving that I'm not the spammer. With PGP, I can just point out that they're not signed with my key, and I've already established a precedent that all messages that are legitimately from me *are* signed. Alternately: Someone chooses to misquote me as saying something offensive or damaging. I can just point to the original message and say "Check the signature." That's proof of what I *actually* said. Unless he can produce an original message --signed with my private key-- in which I actually did say what he's accusing me of, I'm clear. Etc. It doesn't matter if I choose Jesus H. Christ as my identity for the key. It simply indicates that all the messages signed with that particular key really do originate from the same person, the keyholder. > ( In fact, someone could forge your PGP sig because most people don't > have the software, and do you MORE harm that way. How would you prove > which of two nearly simultaneous posts with the EXACT same PGP > sig on them was the real one. ) Did you actually *read* the references you were provided? I get the feeling I'm arguing about cryptography with someone who has never heard of a checksum... If you copy the PGP sig onto a different message (or alter a signed message) then the signature no longer matches the message and anyone who checks the sig will get a pointed warning to that effect. How would I prove it? I would point out "that message is not from me, check the signature!" Anyone who trusts a crypto signature without having the software to verify it is too stupid to be allowed access to a computer system. > 2) They are a an extreme violation of netiquette I don't know where you've been learning your netiquette. PGP-signed messages have been widely regarded as acceptable (if not preferable) for *at least* the past decade. > 3) They are a waste of bandwidth on several levels My signature shows up as a 0.2k attachment. Unless you're still using a 50 bps telephone-cradle type modem, I can't see that being a bandwidth issue. Really. > 4) They make posts hard to read and ugly. Only if you're reading them on a badly broken client (or User-Agent if you prefer the term). A properly designed program *even if it doesn't know PGP* will just display the message text, leaving the signature alone it its own attachment. Under my setup with mutt, the signature is automatically checked, and each signed message is prefaced with a brief header telling me whether the signature is valid (and matches the message contents) or not. The very essence of convenience. Of course, the old-fashioned "in-line" type of signature does add a few lines in the body of the message, but those are (AFAIK) widely regarded as deprecated, in favour of PGP-MIME with the sig as a separate attachment. -Cheers -- ,-------------------------------------------------------------------------. > -ScruLoose- | He that breaks a thing to find out what it is < > Please do not | has left the path of wisdom. < > reply off-list. | - J.R.R. Tolkien < `-------------------------------------------------------------------------'
Attachment:
pgpYiAUIgV8Wx.pgp
Description: PGP signature