Re: OT: More about GPG signing
On 11/05/12 07:29, Henrique de Moraes Holschuh wrote:
> On Thu, 10 May 2012, Tony van der Hoff wrote:
>> I've learned a lot about GPG signing during the last few days. I can see
>> there are benefits where the recipient needs to be absolutely certain
>> that the sender is known to him.
>
> Yes. Or that the sender belongs to a certain group, for which an
> authoritative keyring is maintained.
>
>> That is certainly not the way mailing lists work, so causing a block of
>> some 400 characters to be sent to each and every subscriber is pure
>> self-indulgence, on the scale of insisting on sending HTML-formatted
>> mail. On balance, I think I prefer the latter.
>>
>> I have come to the conclusion that a GPG signature in these
>> circumstances says more about the sender's sense of self-importance than
>> anything else.
>
> Not always. Debian has a few mailing-lists where only signed mail by a
> Debian Developer is accepted (the -announce ones). Also, some information
> is considered critical enough that it is always sent signed. And yes,
> people DO make a fuss if the signature doesn't verify :)
And for some people signing their posts is a good idea on any Debian
list. ie. people who hold a position of authority in the Debian community.
However in every one of those cases I've always found a valid web of
trust - likewise with half a dozen posters on this list, even though
I've not met them - I've met or know some of the people in their key
signing chain. 2 or 3 degrees seems to cover most of the globe with
Debian/GNU/Linux, and geographic location has no bearing on whether
other people will sign your key.
>
> I've seen lots of PGP/MIME and S/MIME signed mails on MLs over the years,
> and any MUA worth using will do something smart with it (such as hide the
> mess and not bother the user if he is not validating signatures).
Yes!
If the signer relies on the recipient to jump through hoops to validate
the signature it speaks volumes of the signer. If you have to cut and
paste or perform CLI magic to validate or make a post viewable then the
whole excercise is *unfriendly*.
>
> Incorrectly-formatted PGP/MIME, as well as inline signatures are far more
> cumbersome on most MUAs, so they're far more likely to cause huge threads
> when used in an indiscriminate way.
>
And it will continue to increase as more people start using PGP
signatures and github accounts like digital fetishes. Many people are
convinced a message is from who it says it's from, just because it's
signed - few check the signature and even fewer check the identity of
the signer.
PGP is a convenient and robust system of ensuring the integrity and
authorship of a message when used properly - otherwise it's a convenient
ego toy for the ignorant at the inconvenience of others. Not unlike
animated avatars and advertisements in signatures.
I'd encourage people to use digital signatures where appropriate - but
only if used properly. If it's used properly few people will complain
and using PGP improperly is worse than not using it at all (promotes bad
practices and devalues the protocol).
Kind regards
--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/
Reply to: