Mailinglist Archive: opensuse-security (457 mails)

< Previous Next >
Re: [suse-security] ID wwywxugwisi... thanks
  • From: Robert Schiele <rschiele@xxxxxxxxxxxxxxx>
  • Date: Tue, 17 Feb 2004 19:04:31 +0100
  • Message-id: <20040217180431.GH25952@xxxxxxxxxxxxxxxxxx>
On Tue, Feb 17, 2004 at 09:50:21AM -0800, john@xxxxxxxxxxxx wrote:
>
>
> I agree that it's a dumb idea, but these virii don't know and don't care
> what the purpose of this list is. Someday some nitwit will stumble onto a
> piece of code that exploits an as-yet undiscovered flaw in one or more
> linux email clients, and we'll have a small disaster. It's just plain
> naive to think this will never happen. Perhaps later than sooner, but
> there is a lot more likelyhood that it will than it won't.
>
> Since it does no good to complain without offering a solution, here's an
> idea:
>
> Why not require all messages posted to this list to be signed with the
> users's gpg key? Building functionality into the list daemon to verify
> signatures would be easy task and would also help cut back on the spam
> that invades this list from time to time. Users can supply their public
> key at subscription time or it can be pulled from a keyserver when the
> users posts. It's really not a huge inconvenience...

But this makes posting to the list much more inconvenient that do not use PGP
regularly. And finally it does not help that much. If someone builds such an
exploit, he could as well generate a random PGP key and register it for the
mailing list. --- In principile this could also be done automatically by a
virus itself, although most viruses are far from that complexity nowadays.

BTW: Your PGP key is of no cryptographic use as long as you don't let sign it
by trustworthy people. But I think no trustworthy person would sign a
key with ID "-linux_lad (This key supersedes all older keys)", thus you
might want to add a real name.

Robert

--
Robert Schiele Tel.: +49-621-181-2517
Dipl.-Wirtsch.informatiker mailto:rschiele@xxxxxxxxxxxxxxx
< Previous Next >
Follow Ups