[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful



At 2003-08-04T20:01:48Z, Alan Connor writes:

> Don't know and don't care. I assess you by the quality of your posts.

Fair enough.  When I sign my posts, you can be assured that the *same*
person is writing each time.  If you've followed my postings for a period of
time, you may decide that you trust my opinion and advice.  I may answer one
of your questions one day.  If that time comes, you can trust that the same
person is answering *your* question that answered the previous ones.

> The same interface? The same machine? The same geographical location?
>
> What does "entity" mean?

Almost anything.  It could be a person, a role ("support@example.com", with
a shared key among all people with access to that account), or a machine
(some programs automatically sign and transmit reports to various newsgroups
and mailing lists).

> That has no meaning to me. What if I were to just copy all of that garbage
> on your posts? Wouldn't people then think I was you?

Not unless you can reverse-engineer the private key that I used to sign my
posts, and use that key to sign the forged messages.  Otherwise, it's a
broken signature that's brightly flagged by all email programs that support
PGP/GPG.

> Don't trust it for one second. Don't believe that corporations and the
> government can't decode PGP.
>
> Am inclined to think that anyone using PGP signatures is in fact someone
> else.

And your friend is the paranoid one?  :)

> *I* wouldn't even consider using PGP signatures.

That's well within your rights.

> My friend posts here under two different identities. So what is the point?

I have no idea.  You're the one hung up on the idea of pseudonyms.

> I exchange encoded mails with a couple of people. We use complex one-time
> pads with the originals delivered by hand and kept VERY well hidden. The
> en/de-coding is done in a ramdisk on a computer that is never con- nected
> to the internet and sits in a tiny shielded room. (go Debian) ( this is
> commercial/proprietary stuff ).

What's your random source?

> I KNOW that those communications are secure.

You do?  The other person has never compromised security in any way?  You've
*never* let the OTP-bearing medium out of your sight for even a second?  If
you're going to be paranoid, at least be zealous about it.  :)

> PGP is a farce, in my opinion. I think the government and the
> corporations, (as if there was a difference....) have a lot of people
> fooled.

The reason I don't believe that is that there would be an enormous amount of
press and respect for anyone who proved a serious vulnerability in any of
PGP's core components.  At least one researcher who know of a weak spot
would publish, I could guarantee that.

> And I STILL think those signatures are good for nothing but making your
> posts hard to read and wasting bandwidth.

And I think that the moon is made of green cheese, but that don't make it
so.
-- 
Kirk Strauser

Attachment: pgpTsSxaWPcRs.pgp
Description: PGP signature


Reply to: