Mailinglist Archive: opensuse (3166 mails)
| < Previous | Next > |
Re: [SLE] pgp/gpg signatures & security (was 8.2 Announced)
- From: Tom Emerson <osnut@xxxxxxxxxxx>
- Date: Fri, 21 Mar 2003 03:03:16 -0800
- Message-id: <200303210303.19196.osnut@xxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[actually, I'm replying to John's post next in this thread, but needed to show
it from this point]
Shown below are the first & last few lines of Mitch's message as it appears to
me when I use Kmail's "reply-to-list" function:
On Thursday 20 March 2003 7:47 pm, Mitch Thompson wrote:
> On Thursday 20 March 2003 13:19, Tom Emerson wrote:
> > note: some may consider this a shade "off-topic", so if it degenerates
[snip]
> --
> Mitch Thompson, San Antonio TX // WB5UZG
> Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson
> Independent Amsoil Dealer http://amsdealer.webhop.biz
> GPG: BBDA 3A2A 4483 BD0D 7CED B8A9 D183 C8F6 B0AF 66AE
> wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import
> --
> "There are 10 kinds of people in the world: those who understand binary,
> and those who don't."
I don't claim to know everything that is going on, and I certainly expect this
to be what I called a "closed system" in a private message -- both Mitch and
I are using kmail, so *perhaps* kmail does some things that aren't 100%
standard, but "to me" I see that:
* I don't see the "---BEGIN PGP MESSAGE---" type headers & footers as text,
but rather kmail uses these to color-code the message [and in this case it is
yellow, indicating that while the signature is valid for the message
contained within, I've never directly or indirectly verified his key]
* the "reply" action strips these from the reply itself
* replying FURTHER strips the final-most "signature" applied by the list
software [I once had someone send a message that began with the signature
indicator -- many clients pre-load the signature block when you start a new
message, so he must have just started typing at the end of that -- in any
case, my "reply" to him quoted nothing; instant "TOFU" stopper... ;) ]
So, as I said, I think this is a "closed" system in that Kmail understands
fully how a kmail-composed message is organized, so it doesn't show anything
as "wrong". I see from John's headers he is using "messenger-pro/2.61",
edited by Zap/ZapEmail, so there is some "difference of opinion" between
these two programs [and I would expect my message to appear to have the same
problem(s) from John's point of view]
This is worse than browser compatability, and I'm afraid human nature is such
that everyone will claim that their client is "absolutely correct" and
haughtily sneer at any other e-mail client "that doesn't work right" and
claim it "must" be the other client that is "wrong" [in fact, you might
almost think that is my attitude, but trust me, it isn't] I *have* seen
messages appearing on the kmail developer/bug e-mail list about
"incompatabilities" between clients, along with samples of messages "as seen
by" these other clients in an attempt to figure out where things broke down.
[see bug #55450 -- a sylpheed user noted a problem w/detached signatures;
turns out an extra cr/lf pair was needed that wasn't immediately obvious]
Unfortunately this requires cooperation of people who aren't using kmail to
tell the developers of kmail where things aren't correct -- not always an
easy task :(
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: http://osnut.homelinux.net/TomEmerson.asc
iD8DBQE+evF3V/YHUqq2SwsRAt4aAJ93GIBSZR6jgvCkOfm3ZFR4DepSagCfS0xx
drQFSvPAzdO2sc/uadiMEO4=
=rx/S
-----END PGP SIGNATURE-----
Hash: SHA1
[actually, I'm replying to John's post next in this thread, but needed to show
it from this point]
Shown below are the first & last few lines of Mitch's message as it appears to
me when I use Kmail's "reply-to-list" function:
On Thursday 20 March 2003 7:47 pm, Mitch Thompson wrote:
> On Thursday 20 March 2003 13:19, Tom Emerson wrote:
> > note: some may consider this a shade "off-topic", so if it degenerates
[snip]
> --
> Mitch Thompson, San Antonio TX // WB5UZG
> Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson
> Independent Amsoil Dealer http://amsdealer.webhop.biz
> GPG: BBDA 3A2A 4483 BD0D 7CED B8A9 D183 C8F6 B0AF 66AE
> wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import
> --
> "There are 10 kinds of people in the world: those who understand binary,
> and those who don't."
I don't claim to know everything that is going on, and I certainly expect this
to be what I called a "closed system" in a private message -- both Mitch and
I are using kmail, so *perhaps* kmail does some things that aren't 100%
standard, but "to me" I see that:
* I don't see the "---BEGIN PGP MESSAGE---" type headers & footers as text,
but rather kmail uses these to color-code the message [and in this case it is
yellow, indicating that while the signature is valid for the message
contained within, I've never directly or indirectly verified his key]
* the "reply" action strips these from the reply itself
* replying FURTHER strips the final-most "signature" applied by the list
software [I once had someone send a message that began with the signature
indicator -- many clients pre-load the signature block when you start a new
message, so he must have just started typing at the end of that -- in any
case, my "reply" to him quoted nothing; instant "TOFU" stopper... ;) ]
So, as I said, I think this is a "closed" system in that Kmail understands
fully how a kmail-composed message is organized, so it doesn't show anything
as "wrong". I see from John's headers he is using "messenger-pro/2.61",
edited by Zap/ZapEmail, so there is some "difference of opinion" between
these two programs [and I would expect my message to appear to have the same
problem(s) from John's point of view]
This is worse than browser compatability, and I'm afraid human nature is such
that everyone will claim that their client is "absolutely correct" and
haughtily sneer at any other e-mail client "that doesn't work right" and
claim it "must" be the other client that is "wrong" [in fact, you might
almost think that is my attitude, but trust me, it isn't] I *have* seen
messages appearing on the kmail developer/bug e-mail list about
"incompatabilities" between clients, along with samples of messages "as seen
by" these other clients in an attempt to figure out where things broke down.
[see bug #55450 -- a sylpheed user noted a problem w/detached signatures;
turns out an extra cr/lf pair was needed that wasn't immediately obvious]
Unfortunately this requires cooperation of people who aren't using kmail to
tell the developers of kmail where things aren't correct -- not always an
easy task :(
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: http://osnut.homelinux.net/TomEmerson.asc
iD8DBQE+evF3V/YHUqq2SwsRAt4aAJ93GIBSZR6jgvCkOfm3ZFR4DepSagCfS0xx
drQFSvPAzdO2sc/uadiMEO4=
=rx/S
-----END PGP SIGNATURE-----
| < Previous | Next > |