On Mon, 4 Aug 2003 13:18:18 -0700 Alan Connor <alanc@localhost> wrote: > > Thanks Chris. Still doesn't make sense to me and I am seriously > considering writing a stanza in my newsreaders filters that will dump > any posts with PGP sigs. That's your right. I hope you're aware that in the process, you'll filter out the posts of many (most?) of the Debian developers that participate in this list. But again, that's certainly your right. > 1) Neither I nor anyone I know cares if you are who you say you are or > not. That's nice. Some people do. > ( In fact, someone could forge your PGP sig because most people > don't > have the software, and do you MORE harm that way. I don't understand what this means. Are you saying that someone could forge an email/post from me, and then tack an invalid signature on, with the intent being that "since most people don't use PGP, they'll see a signature on this forged item, and the mere existence of a signature will make them think it's real, independent of whether it's actually a valid signature or not."? If that's not what you're saying, then I dunno what you mean. If that *is* what you're saying, well, yes, that's possible; but I don't think it's a very interesting possibility to discuss, because it's true regardless of what I do. In fact, it's true even if they don't bother to tack on a PGP signature of some sort. For example, on this mailing list, I'm sure there will always be people who will ascribe any email with my "From:" header as having originated from the same person as the previous posts from that same address (that is, to the extent that anyone here ever notices my emails at all!). No matter what I do, someone can always claim to be me, and there's always the possibility that someone will believe that. However, by PGP-signing my correspondance, I give someone who cares enough to look in more detail the opportunity to verify that this email came from the same private key that signed all that other email, too. You may not be someone who cares enough to check whether my signature is valid, and that's *fine*. But you are not the whole world. > How would you > prove which of two nearly simultaneous posts with the EXACT same > PGP sig on them was the real one. ) A PGP signature contains information both about the private key used to generate it, *and* about the content of the signed file/document/ email/whatever. If two posts had the "EXACT same PGP sig", they would have to have the same content, or both signatures would not validate. > 2) They are a an extreme violation of netiquette I've seen you assert this several times. However, I haven't seen any justification for this assertion, however, other than that you just don't like PGP signatures personally. I've never seen the suggestion that signing email violates any sort of online etiquette taken seriously, and I've been swapping email since years before people PGP-signed email. I *have*, however, frequently seen cited as a breach of netiquette the failure to properly set "References:" or "In-Reply-To:" headers in replies. Hint hint. > 3) They are a waste of bandwidth on several levels Well, I have no idea what you mean by "several levels," but I don't think I need to. Complaints about "wasting bandwidth" are almost always subjective. I think most people on this mailing list would agree that spam is a waste of bandwidth -- but spammers, and the "businesses" for which they spam, certainly don't think so. I personally think Flash animations on webpages are almost always a waste of bandwidth; some people disagree with me quite seriously about that. Hell, to me, swapping mp3s through p2p file-sharing networks is an extreme waste of bandwidth; but these days, I'm probably in the minority on that view. Saying "user activity X wastes bandwidth" nearly always translates to "I personally don't think user activity X is sufficiently worthwhile to take up bandwidth." You have every right to have that opinion on a topic. When it comes to PGP-signing of email on mailing lists, lots of other people don't agree with you. > 4) They make posts hard to read and ugly. This, too, is a statement that can't be made universally. I don't think they make posts hard to read/ugly at all; I don't even *notice* them unless I go looking to see if one is there. Personally, I can't see how it's possible that PGP signatures make posts hard to read/ugly, unless 1) the MUA used is misconfigured; or 2) the MUA is so old that it doesn't follow the MIME standard. Or, if one is reading this mailing list through some external-to-Debian third-party mail-to-news gateway, then I can't see how it's possible that PGP signatures make posts hard to read/ugly, unless 1) the newsreader is misconfigured, or 2) the newsreader is so old that it doesn't follow the MIME standard. -c -- Chris Metzler cmetzler@speakeasy.snip-me.net (remove "snip-me." to email) "As a child I understood how to give; I have forgotten this grace since I have become civilized." - Chief Luther Standing Bear
Attachment:
pgpOViq4gJnQW.pgp
Description: PGP signature