Re: OT PGP - Was [SLE] 8.2 Announced - openSUSE Users

newer
RE: [SLE] fetchmail: can't raise...

Re: OT PGP - Was [SLE] 8.2 Announced

Jeff Dierking

20 Mar 2003 20 Mar '03

18:12

OK, quick reasoning behind a signed message... Signing a message ensures the receiver that the originator is who they say they are. Too many people assume (and that's a bad thing) that just becaus it say it is from a person that it is. Not so. Anybody can spoof their name and address. I am sorry that it annoys you, but is it really that big of a deal? I could understand if it was a 2 line message with a 100 line signature. Jeff Dierking

Attachments:

signature.asc (application/pgp-signature — 189 bytes)

Show replies by date

Johnny Ernst Nielsen

20 Mar 20 Mar

18:48

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

Good day Jeff, just out of curiosity, how do I use the long signature in the end of a mail to check that the sender is who he says he is? Best regards :o) Johnny :o) Torsdag den 20. marts 2003 19:12 kvad Jeff Dierking:

...

OK, quick reasoning behind a signed message...

Signing a message ensures the receiver that the originator is who they say they are. Too many people assume (and that's a bad thing) that just becaus it say it is from a person that it is. Not so. Anybody can spoof their name and address.

I am sorry that it annoys you, but is it really that big of a deal? I could understand if it was a 2 line message with a 100 line signature.

Jeff Dierking

Tom Wesley

18:53

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Thursday 20 March 2003 18:48, Johnny Ernst Nielsen wrote:

...

Good day Jeff,

just out of curiosity, how do I use the long signature in the end of a mail to check that the sender is who he says he is?

Best regards :o)

Johnny :o)

Torsdag den 20. marts 2003 19:12 kvad Jeff Dierking:

...
OK, quick reasoning behind a signed message...

Signing a message ensures the receiver that the originator is who they say they are. Too many people assume (and that's a bad thing) that just becaus it say it is from a person that it is. Not so. Anybody can spoof their name and address.

I am sorry that it annoys you, but is it really that big of a deal? I could understand if it was a 2 line message with a 100 line signature.

Jeff Dierking

That depends on your mail client. KMail has options within the Configure -> Security. But I'm quite sure that it's turned on by default. Pine has extras that can make it work with a little work. Tom

Carlos E. R.

21 Mar 21 Mar

20:42

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

The 03.03.20 at 18:53, Tom Wesley wrote:

...

That depends on your mail client. KMail has options within the Configure -> Security. But I'm quite sure that it's turned on by default. Pine has extras that can make it work with a little work.

In fact, your signature doesn't check with Pine, whereas that of James Oakley does. What I see is just an attached file (196 bytes) like this: [ Part 2, "signature" Application/PGP-SIGNATURE 196bytes. ] [ Cannot display this part. Press "V" then "S" to save in a file. ] Mozilla, in you case (and James Oakley) displays a broken pen icon; if I click on it mozilla will try to get the key from the server www.keyserver.net, and it fails in both cases ("no valid OpenPGP data found" in one case and "read error: connection reset by peer"). So I don't know that it is properly signed . -- Cheers, Carlos Robinson

Theo v. Werkhoven

22 Mar 22 Mar

00:45

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Fri, 21 Mar 2003, Carlos just had to get this off his chest:

...

The 03.03.20 at 18:53, Tom Wesley wrote:

...
That depends on your mail client. KMail has options within the Configure -> Security. But I'm quite sure that it's turned on by default. Pine has extras that can make it work with a little work.

In fact, your signature doesn't check with Pine, whereas that of James Oakley does. What I see is just an attached file (196 bytes) like this:

[ Part 2, "signature" Application/PGP-SIGNATURE 196bytes. ] [ Cannot display this part. Press "V" then "S" to save in a file. ]

Mozilla, in you case (and James Oakley) displays a broken pen icon; if I click on it mozilla will try to get the key from the server www.keyserver.net, and it fails in both cases ("no valid OpenPGP data found" in one case and "read error: connection reset by peer").

So I don't know that it is properly signed .

Both peoples gpg/pgp sigs work without a hitch in Mutt 1.4.1i and gpg-1.2.1-1 I suggest you try a "real" MUA Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SuSE 8.0 x86 Kernel k_Athlon 2.4.19-4GB See headers for PGP/GPG info.

Carlos E. R.

01:53

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

The 03.03.22 at 01:45, Theo v. Werkhoven wrote:

...

Both peoples gpg/pgp sigs work without a hitch in Mutt 1.4.1i and gpg-1.2.1-1 I suggest you try a "real" MUA

Yours fails with pine, which is a real MUA. It says there is a pgp attachement, but does not even offer to check it. Mozilla, which is also a very real MUA (IMHO), does detect your signature, but I'm sure will fail to fetch your key form the public server. -- Cheers, Carlos Robinson

Tom Emerson

05:58

New subject: OT: [OT] MUA "preferrence" (was PGP - Was [SLE] 8.2 Announced)

...

The 03.03.22 at 01:45, Theo v. Werkhoven wrote:

...

...
I suggest you try a "real" MUA

Yours fails with pine, which is a real MUA. .... Mozilla, which is also a very real MUA (IMHO) ...

heh heh heh -- this is exactly what I pointed out elsewhere on this thread: there seems to be a tendancy to claim "*my* mua is better than yours because mine works correctly and yours is broken" -- gotta love it ;) Tom (whups, almost forgot </sarcasm> tags) - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+e/uhV/YHUqq2SwsRApIiAJ44ZTQfnWyAEU7zs1Up8qDjHgMgpwCfWzqh Q5enC3K1AawMhM/cPI+GBbc= =n/XU -----END PGP SIGNATURE-----

Carlos E. R.

23:08

New subject: [SLE] OT: [OT] MUA "preferrence" (was PGP - Was [SLE] 8.2 Announced)

The 03.03.21 at 21:58, Tom Emerson wrote:

...

[marked with a couple of semi-standard "off-topic" indicators -- if there is a "de facto standard" marker let me know and I'll endeavour to use it in the future]

dunno...

...

heh heh heh -- this is exactly what I pointed out elsewhere on this thread: there seems to be a tendancy to claim "*my* mua is better than yours because mine works correctly and yours is broken" -- gotta love it ;)

X-)

...

------------ Output from gpg ------------ gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Sat 22 Mar 2003 06:58:57 AM CET using DSA key ID AAB64B0B gpg: Can't check signature: public key not found

See? I had your key, it would certify - I hope! - but some people sigs I can not. -- Cheers, Carlos Robinson

rex

03:29

New subject: [SLE] [OT] PGP - Was [SLE] 8.2 Announced

Theo v. Werkhoven [2003-03-21 17:25]:

...

Both peoples gpg/pgp sigs work without a hitch in Mutt 1.4.1i and gpg-1.2.1-1 I suggest you try a "real" MUA

I also use Mutt (1.4i) and your message gives a bad signature warning from PGP 6.5.8. Messages sent from myself have OK sigs and decryption from PGP/Eudora works. Oddly, if your message is saved directly from the /var/mail/rex file, the sig checks OK with PGP 6.5.8. I spent over an hour trying to find out why your message gives a bad sig warning in Mutt from PGP 6.5.8 without any productive result. :( BTW, note that I changed OT to [OT] in the subject. It makes filtering more accurate. And, I certainly agree that Mutt is a "real" MUA. Best there is, IMO. www.mutt.org -rex -- The King has note of all that they intend, By interception which they dream not of. --William Shakespeare, _Henry V_, Act II, Scene 2

Carlos E. R.

23:21

New subject: [SLE] [OT] PGP - Was [SLE] 8.2 Announced

The 03.03.21 at 19:29, rex wrote:

...

I spent over an hour trying to find out why your message gives a bad sig warning in Mutt from PGP 6.5.8 without any productive result. :(

Maybe because the signature is attached instead of inserted inline?

...

And, I certainly agree that Mutt is a "real" MUA. Best there is, IMO. www.mutt.org

I wan't complain with that... I haven't found the perfect MUA, so I don't say which is best. Some I like better, some I dislike, some good, some bad (in any mixture). -- Cheers, Carlos Robinson

Mitch Thompson

16:18

New subject: [OT] PGP

On Friday 21 March 2003 18:45, Theo v. Werkhoven wrote:

...

On Fri, 21 Mar 2003, Carlos just had to get this off his chest:

...
The 03.03.20 at 18:53, Tom Wesley wrote:

...
That depends on your mail client. KMail has options within the Configure -> Security. But I'm quite sure that it's turned on by default. Pine has extras that can make it work with a little work.

Well, after generating a new DSA key and uploading it to a keyserver, I went to tell KMail to use it and although it sees the key, when I select it, the 'OK' button remains ghosted. So, now to figure out how to use my new key with KMail. -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import -- "There are 10 kinds of people in the world: those who understand binary, and those who don't."

David Herman

16:35

New subject: [SLE] Re: [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 08:18 am, Mitch Thompson wrote:

...

On Friday 21 March 2003 18:45, Theo v. Werkhoven wrote:

...
On Fri, 21 Mar 2003, Carlos just had to get this off his chest:

...
The 03.03.20 at 18:53, Tom Wesley wrote:

...
That depends on your mail client. KMail has options within the Configure -> Security. But I'm quite sure that it's turned on by default. Pine has extras that can make it work with a little work.

Well, after generating a new DSA key and uploading it to a keyserver, I went to tell KMail to use it and although it sees the key, when I select it, the 'OK' button remains ghosted. So, now to figure out how to use my new key with KMail.

I tried this last night and had to delete my old key for the new one to work (in kmail). Not a very great solution if you've actually been encrypting files or messages for awhile. Hopefully someone has a more acceptable solution - -- dh Don't shop at GoogleGear.com! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+fJDuBwgxlylUsJARAiCMAKCOtcBVwcW9t982Yftkql8cUthwtQCgh+p5 T0obaxYbsC4G4/N4xFw/RT0= =YMLf -----END PGP SIGNATURE-----

Mitch Thompson

17:33

New subject: [SLE] Re: [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 10:35, David Herman wrote:

...

On Saturday 22 March 2003 08:18 am, Mitch Thompson wrote:

...
On Friday 21 March 2003 18:45, Theo v. Werkhoven wrote:

...
On Fri, 21 Mar 2003, Carlos just had to get this off his chest:

...
The 03.03.20 at 18:53, Tom Wesley wrote:

...
That depends on your mail client. KMail has options within the Configure -> Security. But I'm quite sure that it's turned on by default. Pine has extras that can make it work with a little work.

Well, after generating a new DSA key and uploading it to a keyserver, I went to tell KMail to use it and although it sees the key, when I select it, the 'OK' button remains ghosted. So, now to figure out how to use my new key with KMail.

I tried this last night and had to delete my old key for the new one to work (in kmail). Not a very great solution if you've actually been encrypting files or messages for awhile.

Hopefully someone has a more acceptable solution --

That worked here, too, after logging out and back in, I am now able to use my new key. Really sux, since I've had that key out for two years now. This message will be signed with the new key, so those who were complaining about the length of my signature, how does it look, now? - -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import - -- "There are 10 kinds of people in the world: those who understand binary, and those who don't." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+fJ5Yw6DOTK6+YTURAkJYAJoDcL3uh8SRRgB4F3PTI10jB8/06ACeJIQ0 It6pLhD6iONNp4Xy8qCGGg4= =1eDq -----END PGP SIGNATURE-----

Tom Emerson

18:54

New subject: [SLE] Re: [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 9:33 am, Mitch Thompson wrote:

...

On Saturday 22 March 2003 10:35, David Herman wrote:

...
On Saturday 22 March 2003 08:18 am, Mitch Thompson wrote:

...
Well, after generating a new DSA key and uploading it to a keyserver, I went to tell KMail to use it and although it sees the key, when I select it, the 'OK' button remains ghosted. So, now to figure out how to use my new key with KMail.

bring this up as a "bug" on the kmail developer/bug list: kmail@kmail.kde.org (requires subscription, or else go to the web-based bug manager...) manual method listed below

...

...
I tried this last night and had to delete my old key for the new one to work (in kmail). Not a very great solution if you've actually been encrypting files or messages for awhile.

That worked here, too, after logging out and back in, I am now able to use my new key. Really sux, since I've had that key out for two years now.

There is an initialization file located under "$HOME/.kde/share/config" called "kmailrc". This is a plain text file [you may want to exit kmail while editing it] search and replace the key value on lines that read Default PGP Key=<VALUE> [good thing I looked -- appearently one of my "profiles" is using an old/incorrect key] - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+fLFiV/YHUqq2SwsRApXjAJ9PgN5woSiVn58G3CyicoNqEwbAEwCeI2Ed elWrI2yK1zvX3BHbG+HjMD8= =0PJi -----END PGP SIGNATURE-----

Theo v. Werkhoven

22:54

New subject: [SLE] Re: [OT] PGP

On Sat, 22 Mar 2003, Mitch just had to get this off his chest: [..]

...

This message will be signed with the new key, so those who were complaining about the length of my signature, how does it look, now?

Only three lines. That at least should keep people happy. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SuSE 8.0 x86 Kernel k_Athlon 2.4.19-4GB See headers for PGP/GPG info.

Mitch Thompson

23:10

New subject: [SLE] Re: [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 16:54, Theo v. Werkhoven wrote:

...

On Sat, 22 Mar 2003, Mitch just had to get this off his chest:

[..]

...
This message will be signed with the new key, so those who were complaining about the length of my signature, how does it look, now?

Only three lines. That at least should keep people happy.

Theo

So, that would seem to indicate that either it was totally random chance that my signature was so long, or it was a result of using ElGamal only versus DSA/ElGamal for my key type... - -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import - -- "There are 10 kinds of people in the world: those who understand binary, and those who don't." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+fO2Gw6DOTK6+YTURAn5gAJ9j+83VtSCDuEAOVQaisTH9cSpTgACdHUKK gJIJa1i8QxC66WdlqsUBUaI= =rBJe -----END PGP SIGNATURE-----

Mitch Thompson

23:16

New subject: [SLE] Re: [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 17:10, Mitch Thompson wrote:

...

On Saturday 22 March 2003 16:54, Theo v. Werkhoven wrote:

...
On Sat, 22 Mar 2003, Mitch just had to get this off his chest:

[..]

...
This message will be signed with the new key, so those who were complaining about the length of my signature, how does it look, now?

Only three lines. That at least should keep people happy.

Theo

So, that would seem to indicate that either it was totally random chance that my signature was so long, or it was a result of using ElGamal only versus DSA/ElGamal for my key type...

I know I shouldn't be talking to myself, but I noticed that when this came through that the header KMail puts on a signed message changed from Yellow to Green and has the heading Message was signed by James M. Thompson (New Key) (Key ID: 0xAEBE6135). The signature is valid and the key is ultimately trusted. Before it was saying that the signature was valid but the key was unknown or something similar. So, another indicator that "ElGamal" keys by themselves cause problems. - -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import - -- "There are 10 kinds of people in the world: those who understand binary, and those who don't." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+fO60w6DOTK6+YTURAq2CAJ9Q2U9zRCjZaVuGnK5sm0YkTooRNwCgk8Hb 7LBJmfKyYrfQBBA9TbCWX9Q= =TMPb -----END PGP SIGNATURE-----

Patrick Shanahan

23:20

New subject: [SLE] Re: [OT] PGP

* Theo v. Werkhoven [03-22-03 17:56]:

...

On Sat, 22 Mar 2003, Mitch just had to get this off his chest:

[..]

...
This message will be signed with the new key, so those who were complaining about the length of my signature, how does it look, now?

Only three lines. That at least should keep people happy.

I do not understand your numerology. There are 14 lines in his 'sig'. I do *not* believe that gpg signing is a bad thing, but should be utilized when *necessary*, not wholesale. I lock my toolshed but leave the box of birdseed outside unlocked. A typewritten name at the bottom of some documents is sufficient, but a signature is required for others. I would prefer that prisons were locked but hospitals allowed mostly unfettered access. As I recall from the early readings, an accepted (at lease was accepted) standard for a sig was a *max* of four lines. HTML is for web pages, not email, quotes should be trimmed to relevant material and you should respond *after* a question, not before. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

Mitch Thompson

23:25

New subject: [SLE] Re: [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 17:20, Patrick Shanahan wrote:

...

* Theo v. Werkhoven [03-22-03 17:56]:

...
On Sat, 22 Mar 2003, Mitch just had to get this off his chest:

[..]

...
This message will be signed with the new key, so those who were complaining about the length of my signature, how does it look, now?

Only three lines. That at least should keep people happy.

I do not understand your numerology. There are 14 lines in his 'sig'.

I do *not* believe that gpg signing is a bad thing, but should be utilized when *necessary*, not wholesale.

Ain't choice cool?

...

I lock my toolshed but leave the box of birdseed outside unlocked. A typewritten name at the bottom of some documents is sufficient, but a signature is required for others. I would prefer that prisons were locked but hospitals allowed mostly unfettered access.

As I recall from the early readings, an accepted (at lease was accepted) standard for a sig was a *max* of four lines. HTML is for web pages, not email, quotes should be trimmed to relevant material and you should respond *after* a question, not before.

"The nice thing about standards is that there are so many to choose from." - -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import - -- "There are 10 kinds of people in the world: those who understand binary, and those who don't." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+fPDbw6DOTK6+YTURAnrxAJ9346xTFRyKBPdNWr/x8Eq5wNXiUQCcDPM4 A03ndQ1gJNgf7Y0ONop+R84= =3/Bs -----END PGP SIGNATURE-----

Patrick Shanahan

23:38

New subject: [SLE] Re: [OT] PGP

* Mitch Thompson [03-22-03 18:26]:

...

"The nice thing about standards is that there are so many to choose from."

- -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import - -- "There are 10 kinds of people in the world: those who understand binary, and those who don't." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+fPDbw6DOTK6+YTURAnrxAJ9346xTFRyKBPdNWr/x8Eq5wNXiUQCcDPM4 A03ndQ1gJNgf7Y0ONop+R84= =3/Bs -----END PGP SIGNATURE-----

Proper termonology for that sentence is fud. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

Theo v. Werkhoven

23 Mar 23 Mar

00:05

New subject: [SLE] Re: [OT] PGP

On Sat, 22 Mar 2003, Patrick just had to get this off his chest:

...

* Theo v. Werkhoven [03-22-03 17:56]:

...
On Sat, 22 Mar 2003, Mitch just had to get this off his chest:

[..]

...
This message will be signed with the new key, so those who were complaining about the length of my signature, how does it look, now?

Only three lines. That at least should keep people happy.

I do not understand your numerology. There are 14 lines in his 'sig'.

We were talking about his GPG/PGP signature only. I for one do not even see the raw sigs, only that the mail is signed (I had to do a special search in Maildir/cur/ to read the raw message).

...

I do *not* believe that gpg signing is a bad thing, but should be utilized when *necessary*, not wholesale.

I lock my toolshed but leave the box of birdseed outside unlocked. A

Unless there is a bird-hater around who uses your birdseed to poison the poor birdies..

...

typewritten name at the bottom of some documents is sufficient, but a signature is required for others. I would prefer that prisons were locked but hospitals allowed mostly unfettered access.

Prisons are locked only in one way (usually) and mental hostpitals are just as locked as prisons (usually). The problem with analogies is that they're never fully adequate to clarify a point.

...

As I recall from the early readings, an accepted (at lease was accepted) standard for a sig was a *max* of four lines. HTML is for

A sig that is hidden by my MUA doesn't really count as extra IMHO.

...

web pages, not email, quotes should be trimmed to relevant material and you should respond *after* a question, not before.

All of this is obeyed afaik. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SuSE 8.0 x86 Kernel k_Athlon 2.4.19-4GB See headers for PGP/GPG info.

rex

00:31

New subject: [SLE] Re: [OT] PGP

Patrick Shanahan [2003-03-22 16:03]:

...

I do not understand your numerology. There are 14 lines in his 'sig'.

I do *not* believe that gpg signing is a bad thing, but should be utilized when *necessary*, not wholesale.

I count 43 lines in the header of your message. Does the addition of 14(?) lines in a very few messages make a significant difference? More important, isn't it up to the sender of a message to determine when a PGP/GPG sig is "necessary"? You and I don't know the circumstances; perhaps the sender is being targeted by someone who is forging messages and attributing them to the sender.

...

As I recall from the early readings, an accepted (at lease was accepted) standard for a sig was a *max* of four lines. HTML is for web pages, not email, quotes should be trimmed to relevant material and you should respond *after* a question, not before.

I agree with all of this, but note that the 4 line max sig was adopted before the advent of digital signatures, and in the days when a 1200 bps modem was state of the art. To each his own, but I find a N line digital sig much less annoying than the common sigs that almost never change. -rex -- In the 60s, people took acid to make the world weird. Now, the world is weird, and people take Prozac to make it normal.

Chris Geske

20 Mar 20 Mar

19:00

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

...

-----Original Message----- From: Jeff Dierking [mailto:jeff@lordjester.com] Sent: Thursday, March 20, 2003 12:13 PM To: fsanta Cc: SuSE Subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

OK, quick reasoning behind a signed message...

Signing a message ensures the receiver that the originator is who they say they are. Too many people assume (and that's a bad thing) that just becaus it say it is from a person that it is. Not so. Anybody can spoof their name and address.

I am sorry that it annoys you, but is it really that big of a deal? I could understand if it was a 2 line message with a 100 line signature.

Jeff Dierking

Can anyone honestly say they have had such important emails that they had to use pgp to confirm the sender? I know a ton of people who use to use pgp a few years ago, none of them are currently using it! I send analytical data to our clients, and I could see the use of pgp in that case. But com'n, using pgp in mail lists is a little overboard. chris

James Oakley

21 Mar 21 Mar

18:42

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 March 2003 03:00 pm, Chris Geske wrote:

...

Can anyone honestly say they have had such important emails that they had to use pgp to confirm the sender?

I know a ton of people who use to use pgp a few years ago, none of them are currently using it!

I send analytical data to our clients, and I could see the use of pgp in that case. But com'n, using pgp in mail lists is a little overboard.

It's more important in public mailing lists, IMO. Imagine if someone sent an email to the list, pretending to be me, saying that my apt server moved to another host. This theoretical evil guy could have put trojans in the packages. If the signature fails, people will be wary. Also, imagine if someone in your company posted your company's secrets on the list, pretending to be you. If you can't prove that you didn't do it, you could be fired/sued. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+e10j+FOexA3koIgRAnpmAJ9lSwluJNrFHRpG8IYf74OzXAlfVQCeINPg R2Va43J1Y6aWQlegZOjxn7I= =a1Yc -----END PGP SIGNATURE-----

Patrick Shanahan

19:04

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

* James Oakley [03-21-03 13:40]:

...

On Thursday 20 March 2003 03:00 pm, Chris Geske wrote:

...
Can anyone honestly say they have had such important emails that they had to use pgp to confirm the sender?

I know a ton of people who use to use pgp a few years ago, none of them are currently using it!

I send analytical data to our clients, and I could see the use of pgp in that case. But com'n, using pgp in mail lists is a little overboard.

It's more important in public mailing lists, IMO. Imagine if someone sent an email to the list, pretending to be me, saying that my apt server moved to another host. This theoretical evil guy could have put trojans in the packages. If the signature fails, people will be wary.

Also, imagine if someone in your company posted your company's secrets on the list, pretending to be you. If you can't prove that you didn't do it, you could be fired/sued.

But, your pgp sig block is *not* 15-20 lines long, either. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

rex

19:38

New subject: [SLE] [OT] PGP - Was [SLE] 8.2 Announced

James Oakley [2003-03-21 11:07]:

...

Also, imagine if someone in your company posted your company's secrets on the list, pretending to be you. If you can't prove that you didn't do it, you could be fired/sued.

Alas, the absence of a sig is not proof that the poster is an impostor. Signing every post adds to the credibility of denying an unsigned post is from you, but it's not proof. -rex

David Herman

20:10

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Friday 21 March 2003 10:42 am, James Oakley wrote:

...

On Thursday 20 March 2003 03:00 pm, Chris Geske wrote:

...
Can anyone honestly say they have had such important emails that they had to use pgp to confirm the sender?

I know a ton of people who use to use pgp a few years ago, none of them are currently using it!

I used pgp ocasionally on my amiga years ago, but at the time I was much less active sending e-mail, I plan to start using it again (gpg) as a result of this thread.

...

...
I send analytical data to our clients, and I could see the use of pgp in that case. But com'n, using pgp in mail lists is a little overboard.

It's more important in public mailing lists, IMO. Imagine if someone sent an email to the list, pretending to be me, saying that my apt server moved to another host. This theoretical evil guy could have put trojans in the packages. If the signature fails, people will be wary.

Also, imagine if someone in your company posted your company's secrets on the list, pretending to be you. If you can't prove that you didn't do it, you could be fired/sued.

In these times of diminishing freedoms (in some cases a total re-definition of what freedom is), it is important to preserve the rights you have in order to save them from extinction. Signing messages helps to protect these rights merely through its visibility. The more people who use privacy, authenticity procedures, the more dificult it becomes to restrict these rights. see ya -- dh unsigned today... Don't shop at GoogleGear.com!

Mitch Thompson

22 Mar 22 Mar

05:52

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 21 March 2003 14:10, David Herman wrote:

...

On Friday 21 March 2003 10:42 am, James Oakley wrote:

...
On Thursday 20 March 2003 03:00 pm, Chris Geske wrote:

...
Can anyone honestly say they have had such important emails that they had to use pgp to confirm the sender?

I know a ton of people who use to use pgp a few years ago, none of them are currently using it!

I used pgp ocasionally on my amiga years ago, but at the time I was much less active sending e-mail, I plan to start using it again (gpg) as a result of this thread.

...

In these times of diminishing freedoms (in some cases a total re-definition of what freedom is), it is important to preserve the rights you have in order to save them from extinction. Signing messages helps to protect these rights merely through its visibility.

The more people who use privacy, authenticity procedures, the more dificult it becomes to restrict these rights.

Which was one of the main reasons I began using PGP/gpg on a regular basis. My belief is it should be universal. This is my way of promoting signing messages. The fact that is not universal, I think, owes to the fact that it is difficult to get that "web of trust" going. It's difficult to get the "web of trust" going, because pgp signing is not universal. BTW, the fact that the *length* of my key is offensive to some is not a selling point for me to stop using it. If, as it turns out, it is the fact that it is an ElGamal-based key rather than DSA-based key which is causing the problem will be the factor that causes me to change my key. In fact, I have already generated a 2048-bit DSA key and uploaded it to wwwkeys.us.pgp.net. I'll start using it as soon as I generate a revokation of my current key. - -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import - -- "There are 10 kinds of people in the world: those who understand binary, and those who don't." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQIXAwUBPnv6GtGDyPawr2auFAI5IAgAga0hY4jE6JiTqCTwjwY4BT7ga0WxojZn M2OTICT2+vSGPWv/PTBv/o3eY3ImopDrhTJebubdfGyYz5wVrfRyMAvyQh0IiKTO v/v0tflft9SaDPvoK/Q0kD9pvNBuDQYwr5+ppc+4tvyxLrTinUJLBGuYkdgsPHSb sv86GspSwf4hnsuVfmzvPggd5/tAVEHIcGgdu2i+tQmIrRHOTfbOt/MH/MH14SI8 ldr2e40j9kbFHsEIPPZaJubPzufkF0wQv60qBmj2SqD9sKDYZ1wyUW5nAijlbAWO 9IG/x7hLOS70f1uPPCLDoAu2Ab7kOKesPfZ5xVGf0a1uOGc2iYfV6gf+OnH0Sw24 k91MsOXRxPTYe4jmGp1mFcNETdHUv7pUgdxSntgH8cmoY72fN/WK/77JcAw+pgTk uN1fKTVM/PyjukhuehSTp0y8A+YsI9Tu+f5LZxKE2qfC+g1WIKbn7uPYikqs+zLW osR9+WP9SG2WvNVgqnX+SBc3uiVokKcGhSE5H4GyAIxbP0n3OrUWfk06auvd//fZ Jl3+HO8qlj1OhTzWQyvOUkGqdMCbuZGauwWjZNlPuAWjjt+2L9jnBbfzaTn2TU5d bv2JzyRQd3DfbMbiiVG7csvr2WWeAzsRL8w0PHojoRM0/IQROgvBQkqApytSjhlX 0iH0H8knci8gfQ== =zTMk -----END PGP SIGNATURE-----

Tom Emerson

06:19

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 21 March 2003 9:52 pm, Mitch Thompson wrote:

...

<some snippage>

...
The more people who use privacy, authenticity procedures, the more dificult it becomes to restrict these rights.

Which was one of the main reasons I began using PGP/gpg on a regular basis. My belief is it should be universal. ...

Here is another bit to ponder: when secure signing does indeed become universal, spam will stop. Drastic claim, I know, but think it through: 1) people can set a rule: if not signed, discard spammers are unlikely to sign their messages -- they thrive on anonymity (*) 2) if signed, check "web of trust" -- does anybody know this guy? 2a) no: discard 2b) yes, but through some "rather shady links": discard in the unlilkey event they DO decide to sign a message, it will "just be a signature" out there -- nobody will claim to know the person (because if they did, you would be able to trace it to the originator) Even if a spammer decides to "fool the system" and uses a legitimate key to sign the "spam" key, that "legitimate" key will quickly lose the "trust" of anyone using it as part of their "web of trust" [remember, one of the "trust" settings is, "I do NOT trust this person at all", which is a polite way of saying, "this guy is an idiot and will sign anything without checking, or worse, purposely sign things that are questionable"] (*) yes, I know that some people have a desire to remain anonymous "on the internet", but that doesn't work very well for e-mail conversations -- newsgroup/mailing list boards like this, however, are an exception, and if the need is great enough, someone will come up with an e-mail reflector that will anonymize members in a trusted way [i.e., anonymous to all save the list owner...] - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+fACPV/YHUqq2SwsRAjUNAJ4o7VKdMx01E/0Rj+g6cFr6UHG3DACgogNR P5zzz1VBJz+FK8n5jtT3+xc= =VyVb -----END PGP SIGNATURE-----

Ian David Laws

15:10

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

I do not understand this thread. I am using kmail and his signature is not a 1000 lines long I receive "message was signed with unknown key xxxxx. The validity of the signature can't be verified. I was going to start using pgp to sign my e-mails but now I am not sure as certain MUA seem to have a problem. :-( I do not want to be flamed. I thought if some one wishes to use a signature it was upto them. This is not America where the wishes of one person are pushed onto the rest of the world. :-( Ian On Saturday 22 March 2003 06:52, Mitch Thompson wrote:

...

On Friday 21 March 2003 14:10, David Herman wrote:

...
On Friday 21 March 2003 10:42 am, James Oakley wrote:

...
On Thursday 20 March 2003 03:00 pm, Chris Geske wrote:

...
Can anyone honestly say they have had such important emails that they had to use pgp to confirm the sender?

I know a ton of people who use to use pgp a few years ago, none of them are currently using it!

I used pgp ocasionally on my amiga years ago, but at the time I was much less active sending e-mail, I plan to start using it again (gpg) as a result of this thread.

<some snippage>

...
In these times of diminishing freedoms (in some cases a total re-definition of what freedom is), it is important to preserve the rights you have in order to save them from extinction. Signing messages helps to protect these rights merely through its visibility.

The more people who use privacy, authenticity procedures, the more dificult it becomes to restrict these rights.

Which was one of the main reasons I began using PGP/gpg on a regular basis. My belief is it should be universal. This is my way of promoting signing messages. The fact that is not universal, I think, owes to the fact that it is difficult to get that "web of trust" going. It's difficult to get the "web of trust" going, because pgp signing is not universal.

BTW, the fact that the *length* of my key is offensive to some is not a selling point for me to stop using it. If, as it turns out, it is the fact that it is an ElGamal-based key rather than DSA-based key which is causing the problem will be the factor that causes me to change my key. In fact, I have already generated a 2048-bit DSA key and uploaded it to wwwkeys.us.pgp.net. I'll start using it as soon as I generate a revokation of my current key.

-- --------------------------------------- This mail has been checked for virus by H+BEDEDV AntiVir.

Tom Emerson

19:10

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 7:10 am, Ian David Laws wrote:

...

I do not understand this thread. I am using kmail and his signature is not a 1000 lines long I receive "message was signed with unknown key xxxxx. The validity of the signature can't be verified.

That is what you and I see because kmail detects the signature, strips it from the message, decodes the data in it and "validates" that it is accurate, and checks your keyring to see if you "know" the sender [directly or by proxy]. Having done all that, kmail simply displays a two-line header to the message (and color codes the background to red/yellow/green depending on what it finds) People using other MUA's that aren't configured to check end up displaying the message "as is", meaning the "---begin pgp message---", "---begin pgp signature---", the "signature" itself, and "---end pgp....---" lines are there in all their ugly glory [with this message selected, press the "v" key and you'll see it after the headers] The "complaint" centers around the fact that the "most common" method of signing messages results in about a 4 or 5 line "signature" block; the alternate method that Mitch was using produced a 16 line block -- it is the addition of that dozen lines or so that got people upset, not 1000 lines [though I'd be somewhat annoyed at 1000 lines myself if my client didn't "hide" it from me -- however I'd realize that is "part of the protocol" and simply accept that fact, I wouldn't go looking to shoot the messenger...]

...

I was going to start using pgp to sign my e-mails but now I am not sure as certain MUA seem to have a problem. :-( I do not want to be flamed.

It is a fact of "internet life" that somewhere, sometime, someone WILL flame you for the most trivial of reasons (often they are "trolling" for a response, and "flames" seem to be the most effective "bait") Don't worry about others. A tag line I've seen recently sums it up nicely: "fix your own problems before fixing others" -- by this I don't mean "use a better/different MUA", but rather realize that "someone else" has a problem they haven't attended to, and generally it "isn't your fault", they've just taken their frustration out on you. - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+fLUYV/YHUqq2SwsRAkdCAJ9pICh1QYdlvG7VYB1Ieb1CJZk1ZQCgxphQ 60r4eFloyF7wajorwIQdoTY= =GLGZ -----END PGP SIGNATURE-----

Mitch Thompson

23:29

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 13:10, Tom Emerson wrote:

...

It is a fact of "internet life" that somewhere, sometime, someone WILL flame you for the most trivial of reasons (often they are "trolling" for a response, and "flames" seem to be the most effective "bait") Don't worry about others. A tag line I've seen recently sums it up nicely: "fix your own problems before fixing others" -- by this I don't mean "use a better/different MUA", but rather realize that "someone else" has a problem they haven't attended to, and generally it "isn't your fault", they've just taken their frustration out on you.

Tom, you come across as a very level-headed individual. I've been on mailing lists and using Usenet since 1994, and somewhere I remember seeing two rules: 1) Do not be annoying. 2) Do not be easily annoyed. Most complainers remember the first, but forget the second rule. - -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import - -- "There are 10 kinds of people in the world: those who understand binary, and those who don't." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+fPHMw6DOTK6+YTURAuCSAJ9sD0as8s92cEkvw8kw/EsjVNcxYACgk3Gt GLZPklpakjBa6OrsE4GYy/Q= =9DQg -----END PGP SIGNATURE-----

John Pettigrew

23 Mar 23 Mar

19:40

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

In a previous message, Tom Emerson wrote:

...

On Saturday 22 March 2003 7:10 am, Ian David Laws wrote:

...
I do not understand this thread. I am using kmail and his signature is not a 1000 lines long I receive "message was signed with unknown key xxxxx. The validity of the signature can't be verified.

People using other MUA's that aren't configured to check

It's not just that - there is a problem with PGP signing on mailing lists, because the list server adds a footer to each post. Only a few MUAs (including kmail) seem to handle this "correctly" and still strip out the PGP code. Most (including mutt and mozilla) don't. So, signing mailing-list posting means that almost everyone not using kmail is stuck reading PGP code. It's not a huge annoyance, but it is a real one because finding the actualy reply within all that extraneous material isn't always easy. John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won't break the bank Fields of Valour: 2 Norse clans battle on one of 3 different boards

rex

20:51

New subject: [SLE] [OT] PGP

John Pettigrew [2003-03-23 12:28]:

...

It's not just that - there is a problem with PGP signing on mailing lists, because the list server adds a footer to each post. Only a few MUAs (including kmail) seem to handle this "correctly" and still strip out the PGP code. Most (including mutt and mozilla) don't.

Mutt (1.4, at least) hides the PGP/GPG sig. -rex

John Pettigrew

21:19

New subject: [SLE] [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In a previous message, rex wrote:

...

John Pettigrew [2003-03-23 12:28]:

...
It's not just that - there is a problem with PGP signing on mailing lists, because the list server adds a footer to each post. Only a few MUAs (including kmail) seem to handle this "correctly" and still strip out the PGP code. Most (including mutt and mozilla) don't.

Mutt (1.4, at least) hides the PGP/GPG sig.

Is it hiding the PGP code for messages on this list? Because I was reporting what some mutt-users on this list said (that they were also seeing the PGP code). Certainly, mozilla doesn't hide it, so it's not just my MUA. John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won't break the bank Valley of the Kings: ransack an ancient Egyptian tomb but beware of mummies! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6-sb1 (RISC OS) Comment: For info see http://www.gnupg.org iD8DBQE+fiTyp6M/P/S/JWgRApj1AJ9bec2e1plhYEzZJnEi1tcKtv8IOgCePU66 tLT1DVJrZf0EJOXIKEed23s= =vMY1 -----END PGP SIGNATURE-----

John Pettigrew

21:32

New subject: [SLE] [OT] PGP

In a previous message, John Pettigrew wrote:

...

Is it hiding the PGP code for messages on this list? Because I was reporting what some mutt-users on this list said (that they were also seeing the PGP code). Certainly, mozilla doesn't hide it, so it's not just my MUA.

Now this is interesting - I signed that message (as you'll have noticed) and it displays properly here (i.e. PGP code hidden), and the signature verifies. Can someone more knowledgeable than me perhaps see where the relevant difference is between this and the previous signed emails? John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won't break the bank Fields of Valour: 2 Norse clans battle on one of 3 different boards

Patrick Shanahan

21:41

New subject: [SLE] [OT] PGP

* John Pettigrew [03-23-03 16:33]:

...

In a previous message, John Pettigrew wrote:

...
Is it hiding the PGP code for messages on this list? Because I was reporting what some mutt-users on this list said (that they were also seeing the PGP code). Certainly, mozilla doesn't hide it, so it's not just my MUA.

Now this is interesting - I signed that message (as you'll have noticed) and it displays properly here (i.e. PGP code hidden), and the signature verifies. Can someone more knowledgeable than me perhaps see where the relevant difference is between this and the previous signed emails?

There is *no* gpg/pgp sig on this post. I have bounced you direct a full copy of the post. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

John Pettigrew

22:34

New subject: [SLE] [OT] PGP

In a previous message, Patrick Shanahan wrote:

...

* John Pettigrew [03-23-03 16:33]:

...
Now this is interesting - I signed that message (as you'll have noticed)

There is *no* gpg/pgp sig on this post. I have bounced you direct a full copy of the post.

No - I was talking about the previous email I sent to the list, which *was* signed :-) John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won't break the bank Valley of the Kings: ransack an ancient Egyptian tomb but beware of mummies!

Theo v. Werkhoven

24 Mar 24 Mar

21:17

New subject: [SLE] [OT] PGP

On Sun, 23 Mar 2003, John just had to get this off his chest:

...

In a previous message, John Pettigrew wrote:

...
Is it hiding the PGP code for messages on this list? Because I was reporting what some mutt-users on this list said (that they were also seeing the PGP code). Certainly, mozilla doesn't hide it, so it's not just my MUA.

Now this is interesting - I signed that message (as you'll have noticed) and it displays properly here (i.e. PGP code hidden), and the signature verifies. Can someone more knowledgeable than me perhaps see where the relevant difference is between this and the previous signed emails?

Mutt and KMail show their use of MIME and RFC2015 for PGP signed/encrypted mail in the headers, e.g.: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FUFe+yI/t+r3nyH4" Content-Disposition: inline [snip other headers] --FUFe+yI/t+r3nyH4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, 23 Mar 2003 you said:

...

Theo v. Werkhoven wrote:

...
On Sun, 23 Mar 2003, DB just had to get this off his chest: [..] [..] Voor GNUpg/pgp zie headers.

--FUFe+yI/t+r3nyH4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+fh3ec4IkHA+oC7ERAicAAJ0bkw4ckzwQ7/nR/UNnxSgOJZ6qxwCfSZxw fZCBXrBaeBbgABY1LqBYqOs= =OtGL -----END PGP SIGNATURE----- --FUFe+yI/t+r3nyH4-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Your MUA doesn't use MIME, it just puts the signature in the body: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ *Procmail appends one header line for Mutt:* Content-Type: application/pgp; format=text; x-action=sign -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In a previous message, rex wrote: [..] [..] Valley of the Kings: ransack an ancient Egyptian tomb but beware of mummies! -----BEGIN PGP SIGNATURE---- Version: GnuPG v1.0.6-sb1 (RISC OS) Comment: For info see http://www.gnupg.org iD8DBQE+fiTyp6M/P/S/JWgRApj1AJ9bec2e1plhYEzZJnEi1tcKtv8IOgCePU66 tLT1DVJrZf0EJOXIKEed23s= =vMY1 -----END PGP SIGNATURE----- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ In both cases Mutt can read the signatures and hides the key. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SuSE 8.0 x86 Kernel k_Athlon 2.4.19-4GB See headers for PGP/GPG info.

rex

23 Mar 23 Mar

22:12

New subject: [SLE] [OT] PGP

-----BEGIN PGP SIGNED MESSAGE----- John Pettigrew [2003-03-23 13:40]:

...

In a previous message, rex wrote:

...
Mutt (1.4, at least) hides the PGP/GPG sig.

Is it hiding the PGP code for messages on this list? Because I was reporting what some mutt-users on this list said (that they were also seeing the PGP code). Certainly, mozilla doesn't hide it, so it's not just my MUA.

Yes. Your message is signed and the sig is hidden. As a test, I'm signing this in the traditional PGP inline fashion to see if the list footer messes up the sig. BTW, Mutt hides inline sigs, too. - -rex -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPn4xWm8sjl9sYg/JAQEEDgQAnpvbIa3OUhAJK8TWrs56XGsefbGehupV 5ez1i7ivKljJFhhz53rovek5f8PWPLLdehx1TmxhXv7WhZuWkmmvsiIbG/Slb3OK tmUoMTWJUJ8SKT+RWKV0uGmL3rzs1sTBvdBKL7cmq30kP1QfoS51C9mOkakp6hCL QeEQ3O0+kxM= =Spll -----END PGP SIGNATURE-----

rex

22:29

New subject: [SLE] [OT] PGP

rex [2003-03-23 14:20]:

...

As a test, I'm signing this in the traditional PGP inline fashion to see if the list footer messes up the sig. BTW, Mutt hides inline sigs, too.

It works: the list footer is below the end of the sig and PGP ignores it during the verification. However, there is a bug in Mutt 1.4: it reports that the sig could not be verified, but PGP reports a good sig. -rex

Theo v. Werkhoven

21:13

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Sun, 23 Mar 2003, John just had to get this off his chest:

...

In a previous message, Tom Emerson wrote:

...
On Saturday 22 March 2003 7:10 am, Ian David Laws wrote:

...
I do not understand this thread. I am using kmail and his signature is not a 1000 lines long I receive "message was signed with unknown key xxxxx. The validity of the signature can't be verified.

People using other MUA's that aren't configured to check

It's not just that - there is a problem with PGP signing on mailing lists, because the list server adds a footer to each post. Only a few MUAs (including kmail) seem to handle this "correctly" and still strip out the PGP code. Most (including mutt and mozilla) don't.

I think the mailinglist software is smarter than that. Mutt e.g. normally encodes signed messages in quoted-printable as "Content-Type: multipart/signed" with "Content-Disposition: inline" Ezmlm is smart enough *not* to try to mess with MIME contents, and so doesn't append its own sig to these messages. At least.. that is what I notice when I look at signed messages that follow RFC2015. Mutt (here at least) has no problems finding and verifying the signatures.

...

So, signing mailing-list posting means that almost everyone not using kmail is stuck reading PGP code. It's not a huge annoyance, but it is a real one because finding the actualy reply within all that extraneous material isn't always easy.

Please do a little more research before making wild and unfounded claims. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SuSE 8.0 x86 Kernel k_Athlon 2.4.19-4GB See headers for PGP/GPG info.

John Pettigrew

21:25

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

In a previous message, Theo v. Werkhoven wrote:

...

On Sun, 23 Mar 2003, John just had to get this off his chest:

...
there is a problem with PGP signing on mailing lists, because the list server adds a footer to each post.

I think the mailinglist software is smarter than that. [snip] [it] doesn't append its own sig to these messages. At least.. that is what I notice when I look at signed messages that follow RFC2015. Mutt (here at least) has no problems finding and verifying the signatures.

So why is the list server adding these sigs to messages on this list? Is the problem that kmail (or whatever) isn't setting its headers correctly?

...

...
So, signing mailing-list posting means that almost everyone not using kmail is stuck reading PGP code.

Please do a little more research before making wild and unfounded claims.

My apologies if I offended you. From the comments made on this list, it certainly sounded like kmail was both producing the 'offending' messages and also displaying them correctly, and that most if not all other MUAs weren't displaying them correctly. If that makes my comment "wild and unfounded" then I'm sorry. I am, however, not the only person on this list who was seeing messages with PGP code displayed when normal PGP messages are OK. John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won't break the bank Valley of the Kings: ransack an ancient Egyptian tomb but beware of mummies!

Patrick Shanahan

21:30

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

* Theo v. Werkhoven [03-23-03 16:16]:

...

On Sun, 23 Mar 2003, John just had to get this off his chest: [snip]

...
So, signing mailing-list posting means that almost everyone not using kmail is stuck reading PGP code. It's not a huge annoyance, but it is a real one because finding the actualy reply within all that extraneous material isn't always easy.

Please do a little more research before making wild and unfounded claims.

You should get some of *your* facts straight. Mutt discriminates between mime and plain-text gpg/pgp sigs. Mime is shown as a none viewable attachment and plain-text is exhibited as plain-text, ie: normal message traffic. If you are from Missouri, I can do a screen capture and post a link to the jpeg capture file. Just ask. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

Theo v. Werkhoven

24 Mar 24 Mar

20:42

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Sun, 23 Mar 2003, Patrick just had to get this off his chest:

...

* Theo v. Werkhoven [03-23-03 16:16]:

...
On Sun, 23 Mar 2003, John just had to get this off his chest: [snip]

...
So, signing mailing-list posting means that almost everyone not using kmail is stuck reading PGP code. It's not a huge annoyance, but it is a real one because finding the actualy reply within all that extraneous material isn't always easy.

Please do a little more research before making wild and unfounded claims.

You should get some of *your* facts straight. Mutt discriminates between mime and plain-text gpg/pgp sigs. Mime is shown as a none viewable attachment and plain-text is exhibited as plain-text, ie: normal message traffic.

Actually, my procmail recipy (which some other person showed here aswell) adds some header line for PGP stuff when they're missing, so that Mutt doesn't get confused. The attachments can always be shown with 'v'

...

If you are from Missouri, I can do a screen capture and post a link to the jpeg capture file. Just ask.

Missouri? Would I have to drive to your local postoffice or something ;-) ? Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. SuSE 8.0 x86 Kernel k_Athlon 2.4.19-4GB See headers for PGP/GPG info.

Victor R. Cardona

25 Mar 25 Mar

16:39

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Sun, Mar 23, 2003 at 07:40:05PM +0000, John Pettigrew wrote:

...

It's not just that - there is a problem with PGP signing on mailing lists, because the list server adds a footer to each post. Only a few MUAs (including kmail) seem to handle this "correctly" and still strip out the PGP code. Most (including mutt and mozilla) don't.

I use mutt, and I have no problems with Mitch's messages. I just see the two-line message the Mutt adds telling me that the message was signed and the public key is unknown. Victor

Jesse Shaver

01:17

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

I tried to download you public key with the command in your signature (wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import), but your message still shows up in mail as yellow with the message: Message was signed with unknown key 0xB0AF66AE. The validity of the signature can't be verified. What am i doing wrong? thanks -- Jesse Shaver

Tom Emerson

08:23

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 24 March 2003 5:17 pm, Jesse Shaver wrote:

...

I tried to download you public key with the command in your signature (wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import), but your message still shows up in mail as yellow with the message: Message was signed with unknown key 0xB0AF66AE. The validity of the signature can't be verified. What am i doing wrong?

Well, for one thing the key at home.satx... isn't key B0AF66AE -- it is key AEBE6135! When you imported the key, you should have seen a line like this: tom@bigbro:~/Documents/security> gpg --import pubkey.gpg gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key AEBE6135: public key imported gpg: Total number processed: 1 gpg: imported: 1 That line in the middle tells you which "key" was in the file, and appearently it isn't the "key" that Mr. Thompson is using to sign the messages in this list (something is out of synch) [actually, I just checked -- this is a "new" key that was created on the 20th, with an expiration of one year, and going "backward" through the chain of messages on this thread I see that his most RECENT message was signed by this new key, but the older one was signed by the other key] However, even if it were the correct one, the message will (most likely) STILL be in yellow! The "signature can't be verified" will be changed to: Message was signed by James M. Thompson (New Key) (Key ID: 0xAEBE6135). The signature is valid, but the key is untrusted. which is to be expected -- it is very unlikely that you know him personally, but that is somewhat irrelevant -- the whole beauty of "the process" is that Mr. Thompson will go about getting his "key" signed by other people by seeing them "face to face". As he gathers signatures he should update the key he has posted. Eventually he will get his key signed by someone you have met and added to YOUR keyring, at which point gpg can establish a level of "trust" to the signature that enables the display to switch to "green". - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+gBIdV/YHUqq2SwsRAsg3AJ9LnrZ8cYFWLTCyz0KWQ9TsZEaK2gCfcKUd zwCX3eGXRAkyb9nqK6Z+6g0= =7Gm/ -----END PGP SIGNATURE-----

Mitch Thompson

14:57

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Tuesday 25 March 2003 02:23, Tom Emerson wrote:

...

On Monday 24 March 2003 5:17 pm, Jesse Shaver wrote:

...
I tried to download you public key with the command in your signature (wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import), but your message still shows up in mail as yellow with the message: Message was signed with unknown key 0xB0AF66AE. The validity of the signature can't be verified. What am i doing wrong?

Well, for one thing the key at home.satx... isn't key B0AF66AE -- it is key AEBE6135!

Yes, I changed to a DSA/ElGamal key the other day, due to problems which seemed to stem from having an ElGamal only key. The key on my web site is my NEW public key. -- Mitch Thompson, San Antonio TX // WB5UZG Red Hat Certified Engineer (RHCE) http://home.satx.rr.com/mlthompson Independent Amsoil Dealer http://amsdealer.webhop.biz wget -O - http://home.satx.rr.com/mlthompson/pubkey.gpg | gpg --import -- "There are 10 kinds of people in the world: those who understand binary, and those who don't."

Graham Murray

22 Mar 22 Mar

17:33

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

David Herman

17:52

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 09:33 am, Graham Murray wrote: Something reguarding James Oakley and a failed signature. I'm sending this message because all that appeared in kmail (before I viewed the source) was a blank message w/ the signature icon at the bottom. (User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (gnu/linux)) Additionally While following this thread I've noticed occasional inconsistancies in kmails recognition of signatures. I mailed myself a test message from evolution and got the message "Message was signed with unknown key. The validity of the signature cannot be verified. Problem: OpenPGP plug-in was not specified. Use the 'Settings->Configure KMail->Security' dialog to specify the plug-in or ask your system administrator to do that for you." This is with the same key that I used to send this message. I've recieved the same error on mails from "Theo v. Werkhoven" (User-Agent: Mutt/1.4.1i) even though I have imported his key Ideas appreciated - -- dh Don't shop at GoogleGear.com! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+fKL7BwgxlylUsJARAnNkAJ9SUfIgxu/QgVnlBEGREVELc3Y/6ACfcBOc oZau8/C6krHaXwtDqq2qZNo= =+Nh/ -----END PGP SIGNATURE-----

Tom Emerson

19:16

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 22 March 2003 9:52 am, David Herman wrote:

...

On Saturday 22 March 2003 09:33 am, Graham Murray wrote: Something reguarding James Oakley and a failed signature.

I'm sending this message because all that appeared in kmail (before I viewed the source) was a blank message w/ the signature icon at the bottom. (User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (gnu/linux))

that is what I saw with kmail as well :) [...]

...

Problem: OpenPGP plug-in was not specified. [...] Ideas appreciated

see the kmail developer/bug list -- there is a fair amount of info on this, and it generally relates to how well you've installed the "agypten" plug-in. I have not yet installed it, so kmail goes back to the older in-line method of detection and verification, and appearently doesn't always work. I suspect the same thing may be true for Gnus - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+fLafV/YHUqq2SwsRAt/XAKCWtGsokRGw8T4E6PpxVj8z2osxhQCcDvlf Dv4S2havMU9ChOBB7OW3hII= =gf1w -----END PGP SIGNATURE-----

pinto

20:01

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Saturday 22 March 2003 07:16 pm, Tom Emerson wrote:

...

...
Problem: OpenPGP plug-in was not specified. Ideas appreciated see the kmail developer/bug list -- there is a fair amount of info on this, and it generally relates to how well you've installed the "agypten" plug-in.

Does anyone know, please, if there is an RPM for the OpenPGP Plug-In ? thanks best wishes ____________ sent on Linux ____________

Patrick Shanahan

20:17

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

* pinto [03-22-03 15:05]:

...

Does anyone know, please, if there is an RPM for the OpenPGP Plug-In ?

pin openpgp yealds gpg-1.0.7-82.i586.rpm on your SuSE 8.1 install disks. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

pinto

23 Mar 23 Mar

06:41

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Saturday 22 March 2003 08:17 pm, Patrick Shanahan wrote:

...

...
Does anyone know, please, if there is an RPM for the OpenPGP Plug-In ?

pin openpgp yealds gpg-1.0.7-82.i586.rpm on your SuSE 8.1 install disks.

thanks ~ as I am with SuSE 8.0 , guess this means I must install "Aegypten" 'By Hand' ? best wishes ____________ sent on Linux ____________

Patrick Shanahan

13:22

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

* pinto [03-23-03 02:06]:

...

On Saturday 22 March 2003 08:17 pm, Patrick Shanahan wrote:

...
...
Does anyone know, please, if there is an RPM for the OpenPGP Plug-In ?

pin openpgp yealds gpg-1.0.7-82.i586.rpm on your SuSE 8.1 install disks.

~ as I am with SuSE 8.0 , guess this means I must install "Aegypten" 'By Hand' ?

on your system, do: pin openpgp It will provide the name of the rpm for your system. man pin will explain the syntax -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

pinto

17:36

New subject: [SLE] Re: OT PGP - Was [SLE] 8.2 Announced

On Sunday 23 March 2003 01:22 pm, Patrick Shanahan wrote:

...

on your system, do: pin openpgp It will provide the name of the rpm for your system.

man pin will explain the syntax

Thanks for SuSE vers 8.0 , seems there is Catch22 : the opengpg rpm does not include the Aegypten Plug-In ~ guess "Aegypten" plug-in needs to be installed by Hand. best wishes ____________ sent on Linux ____________

7709

Age (days ago)

7714

Last active (days ago)

List overview

Download

56 comments

18 participants

participants (18)

Carlos E. R.
Chris Geske
David Herman
Graham Murray
Ian David Laws
James Oakley
Jeff Dierking
Jesse Shaver
John Pettigrew
Johnny Ernst Nielsen
Mitch Thompson
Patrick Shanahan
pinto
rex
Theo v. Werkhoven
Tom Emerson
Tom Wesley
Victor R. Cardona