Mailinglist Archive: opensuse (3166 mails)
| < Previous | Next > |
Re: [SLE] pgp/gpg signatures & security (was 8.2 Announced)
- From: Mitch Thompson <mitchthompson@xxxxxxxxxxx>
- Date: Thu, 20 Mar 2003 21:47:42 -0600
- Message-id: <200303202147.43407.mitchthompson@xxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 20 March 2003 13:19, Tom Emerson wrote:
> note: some may consider this a shade "off-topic", so if it degenerates
> further I'll mark it as such. For now, however, this should be some "good
> info" for those that are curious [and besides, it centers around a feature
> that is implemented more completely in Linux than in windows ;) ]
>
Tom,
Thank you for an excellent explanation. At the time I wrote my (rather curt)
response, I was in a rush.
Basically, as you noted, and others, signing messages is a personal decision.
One of the arguments for signing everything that I have heard is that it is a
"promotion" thing. I'm not paranoid, but as you explained, it is simple to
forge headers and "be someone else" to all except those who know how to
verify headers. I have been signing messages, first when I used Evolution,
and now with KMail, for about a year now. Everytime I come across a signed
email for which I do not have the senders key, I query key servers and if it
is available, I put it in my public key ring. That does not guarantee that
the person who a) generated the key and b) signed the email are really who
they say they are, but it's a bit better than nothing. Now, the best thing
is to be face-to-face with someone and get their public key, after verifying
their identity (as in a key-signing party). Public keys are ASCII
exportable, and can even be written out and typed back in and imported.
Anyway, when all is said and done, I believe it is a Good Thing (TM), and I
have no intention on stopping.
- --
Mitch Thompson, San Antonio TX // WB5UZG
Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson
Independent Amsoil Dealer http://amsdealer.webhop.biz
GPG: BBDA 3A2A 4483 BD0D 7CED B8A9 D183 C8F6 B0AF 66AE
wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import
- --
"There are 10 kinds of people in the world: those who understand binary,
and those who don't."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQIXAwUBPnqLXtGDyPawr2auFAI/dwf/dkcHfbryHjzyp1OueshXdXqznEFXmc5H
+ixOwkd2eELxfSrUVKyyRmsi4uD/NnqMatsHaxD3VpyuAS5iofnpEsIPGQmQ5QCl
DYHBbhtzitX4+s0/NkYNpjd5iVp1qJ7fBY5HrUWMEKVebfvxR1UllUyzj5+mGqFD
fEVIyCHtg9UnNegrTVUF4hVP+WJm9d/t6o19slgJpxEhP3qM3d7DRC+nLrPT+Z+L
fuUgJYrNSkHQRlYpKfvQwRCuihgeHM+L6k28civ5DAigWqzT4mWdWA65H0Cfd4zy
C4Um3Sm0kB1xAAZa9W4fUwpQE2RaVTMLlC+2Dmh+Axji0CpdBzkvCgf9FlVCHvDa
Ufphx8RSuEU0HxKbl6+c+FFx5Jdl188EtgYqPIdWosu1t4DuCUWcTCkxwP/q1PVl
2qyC2ErBB3kdFIN+0IYLceBvvqQrqOy+yM5Co+4Be6zy4OMXRpIsYQZvoheDHkFk
XYX94GugsYs+eCIaJsZg5m9HFwfrSihiiO7c/zzkpNTsdPYqeeunOlL27ZdywtVN
ygbz9/+tGxclWF848qvXchToxSFQLdl9W2fTk4X6HYgGoADrwkCDqjc0deDRabBd
9/ePx1UCJCY1nBMSY9yzQsBVofR35O0quU/cUheqgpuQ3gpCHdBJcSlkVjgJ4oRD
DRXbr83P62tH5g==
=ZDZo
-----END PGP SIGNATURE-----
Hash: SHA1
On Thursday 20 March 2003 13:19, Tom Emerson wrote:
> note: some may consider this a shade "off-topic", so if it degenerates
> further I'll mark it as such. For now, however, this should be some "good
> info" for those that are curious [and besides, it centers around a feature
> that is implemented more completely in Linux than in windows ;) ]
>
Tom,
Thank you for an excellent explanation. At the time I wrote my (rather curt)
response, I was in a rush.
Basically, as you noted, and others, signing messages is a personal decision.
One of the arguments for signing everything that I have heard is that it is a
"promotion" thing. I'm not paranoid, but as you explained, it is simple to
forge headers and "be someone else" to all except those who know how to
verify headers. I have been signing messages, first when I used Evolution,
and now with KMail, for about a year now. Everytime I come across a signed
email for which I do not have the senders key, I query key servers and if it
is available, I put it in my public key ring. That does not guarantee that
the person who a) generated the key and b) signed the email are really who
they say they are, but it's a bit better than nothing. Now, the best thing
is to be face-to-face with someone and get their public key, after verifying
their identity (as in a key-signing party). Public keys are ASCII
exportable, and can even be written out and typed back in and imported.
Anyway, when all is said and done, I believe it is a Good Thing (TM), and I
have no intention on stopping.
- --
Mitch Thompson, San Antonio TX // WB5UZG
Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson
Independent Amsoil Dealer http://amsdealer.webhop.biz
GPG: BBDA 3A2A 4483 BD0D 7CED B8A9 D183 C8F6 B0AF 66AE
wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import
- --
"There are 10 kinds of people in the world: those who understand binary,
and those who don't."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQIXAwUBPnqLXtGDyPawr2auFAI/dwf/dkcHfbryHjzyp1OueshXdXqznEFXmc5H
+ixOwkd2eELxfSrUVKyyRmsi4uD/NnqMatsHaxD3VpyuAS5iofnpEsIPGQmQ5QCl
DYHBbhtzitX4+s0/NkYNpjd5iVp1qJ7fBY5HrUWMEKVebfvxR1UllUyzj5+mGqFD
fEVIyCHtg9UnNegrTVUF4hVP+WJm9d/t6o19slgJpxEhP3qM3d7DRC+nLrPT+Z+L
fuUgJYrNSkHQRlYpKfvQwRCuihgeHM+L6k28civ5DAigWqzT4mWdWA65H0Cfd4zy
C4Um3Sm0kB1xAAZa9W4fUwpQE2RaVTMLlC+2Dmh+Axji0CpdBzkvCgf9FlVCHvDa
Ufphx8RSuEU0HxKbl6+c+FFx5Jdl188EtgYqPIdWosu1t4DuCUWcTCkxwP/q1PVl
2qyC2ErBB3kdFIN+0IYLceBvvqQrqOy+yM5Co+4Be6zy4OMXRpIsYQZvoheDHkFk
XYX94GugsYs+eCIaJsZg5m9HFwfrSihiiO7c/zzkpNTsdPYqeeunOlL27ZdywtVN
ygbz9/+tGxclWF848qvXchToxSFQLdl9W2fTk4X6HYgGoADrwkCDqjc0deDRabBd
9/ePx1UCJCY1nBMSY9yzQsBVofR35O0quU/cUheqgpuQ3gpCHdBJcSlkVjgJ4oRD
DRXbr83P62tH5g==
=ZDZo
-----END PGP SIGNATURE-----
| < Previous | Next > |