[PLUG] Re: (forw) Re: Thanks for the PGP signature files

Cooper Stevenson cooper at linux-enterprise.net
Mon Dec 2 23:42:41 UTC 2002


Patrick,

I generaly stay out of such issues but if you would be so kind I would
like some clarification in this matter.

In your email you state:

    ``Guess that you "hard-core Linux" guys don't care about Eschelon
    too much. Can't claim that your E-mail messages didn't come from
    you, when they contain an authenticating PGP/GPG signature, can
    you?''

This seems to be an attack. What's not clear to me is exactly whom you
are attacking, ``hard-core Linux guys,'' or people who include their
PGP/GPG signature in their emails. Knowing that these encryption
techniques also exist (and are widely used as they are a standard) for
Windows and other platforms, I am having trouble equating the entire
Linux community with PGP/GPG users.

Would you please help me reconcile this?

Further, you make mention of Eschelon...

    ``Guess that you "hard-core Linux" guys don't care about Eschelon
    too much.''

I sense that there is some background information that I am not privy to
so I cannot comment on Eschelon itself other than to say that if they
are adhering to the same standards as the rest of us (including PGP/GPG)
then there should not be a problem. Otherwise the signature will appear
as text at the bottom of the message.

When you say, 

    ``Can't claim that your E-mail messages didn't come from you,[sic]
    when they contain...PGP/GPG signature,''
    
well, I guess that's pretty much the point. Signatures are the author's
honest assertion that the messages are authentic. Far from being
``egotistical,'' it is in my view an indication that the author clearly
takes responsibility for his communication and is a gaurantee to the
recipient that the message is genuine.

I personally am reassured when I see the PGP/GPG information at the
bottom of an email message, whether it is an attachement or not; even if
I do not take the time to authenticate against it I use the signature as
a contributing factor for determining the authenticity of the message. I
check all keys, however, for critical messages.

Of course this may be a moot argument as I am still unsure if you are
talking about ``text PGP'ers'' or the Linux community on the whole.

Finally you make the following argument:

    ``In the spirit of all of us - with diverse OS's and experience
    levels - getting along, you guys COULD easily just append a KEY file
    to the E-mail, and not a full signature.''

I agree with you that we should all work to make things as easy to as
wide an audience as possible...but not at the expense of security.
 
The fact that an individual can attach the signature as a file isn't the
point. The truth is that they're playing by the rules. If on the
delivery side you've chosen a system based on ``what's popular'' rather
than functionality and standards adherence, then it seems you've only
given yourself rope with regard to others who do adhere to the standard.

Besides, if your client were open source you will likely find a module
that enables PGP decryption. Short of that you could write your own,
have someone do it for you, or at the very least submit it as a feature
request. 




-Cooper

On Mon, 2002-12-02 at 14:37, Patrick Beart wrote:
> At 12:54 PM -0800 12/2/02, Bruce Kingsland wrote:
> >Steve Beattie's Log: StarDate 1112.1226:
> >>  On Tue, Nov 12, 2002 at 12:04:02PM -0800, Sandy Herring wrote:
> >>  > Curious to know if you got a similar complaint/request from Patrick (see
> >>  > attached).
> >>
> >>  I did not, but then I haven't posted recently (or if I have, it's
> >>  because someone is spoofing as me, so you should verify my signatures
> >>  :-) ), so that's probably why he didn't complain to me.
> >
> >Yes, I did. But my procmail put it in the wrong folder, and I just now
> >saw it. I also liked your response, Sandy. Very well done!
> >
> >>  BTW, your response was a lot more patient than I probably would have been,
> >>  nicely done. I don't remember if Eudora is a Mac only MUA -- I thought
> >>  at one point they were talking about porting to Windows.  The only other
> >
> >Eudora has been a windows app for at least 5 years, maybe longer.
> >
> >>  thing I'd have probably mentioned is the reason I GPG sign everything
> >>  is as a first step to get people using MUAs that support encryption,
> >>  so that eventually encryption of email is a relatively common occurrence
> >
> >Ditto!
> 
> 
> 	Guess that you "hard-core Linux" guys don't care about 
> Eschelon too much. Can't claim that your E-mail messages didn't come 
> from you, when they contain an authenticating PGP/GPG signature, can 
> you?
> 
> 
> 
> 
> >  > (I'm still looking for a plugin to mailman to run a gpg based email list).
> >>
> >>  Hopefully Patrick isn't expecting the rest of us to stop signing our
> >>  emails, cuz it ain't gonna happen.
> >
> >Yep, Patrick is gonna have to step up to the plate with the rest of us...
> 
> 
> 	Yep.
> 
> <facetious comment>
> ----------------
> 	With so MANY MUA's out there that are fully compliant with 
> the relevant RFC's, -- and which won't separate your silly (and 
> egotistical, IMO) GPG  signatures into text files attachments, -- 
> it's SO EASY to avoid this nasty issue. Heck, ... Eudora, MS Outlook 
> express, MS Outlook - I wonder how many E-mail programs out there 
> DON'T separate these PGP/GPG "signatures" into text file attachments. 
> Must be only Linux MUA's that don't, huh?!
> 	Perhaps you smug Linux "gurus" can enlighten the rest of us 
> poor, ignorant slobs as to how to avoid having to delete these (your) 
> unnecessary files on a daily basis? After all, I'm sure that EVERYONE 
> wants to spend at least half of their waking hours converting their 
> entire computing experience to (exclusively) Linux, so that we can be 
> just as smug as you are.   ;-)
> ----------------
> </facetious comment>
> 
> 
> 	Seriously, though, I made my requests about this PRIVATE to 
> the individuals (offenders?) involved, and off-list. Sorry to hear 
> (read) that it didn't stay that way.
> 
> 	In the spirit of all of us - with diverse OS's and experience 
> levels - getting along, you guys COULD easily just append a KEY file 
> to the E-mail, and not a full signature.
> 	I began using PGP in 1996, so I know that this can be done, 
> and accomplish your goal of ensuring that NO ONE mistakes your E-mail 
> messages as anything but authentic and coming from you.     :-/
> 
> 
> 
> 
> Patrick Beart
> 
> -- 
> ------------------------------------------------
> Web Architecture  &  "iWeb4Biz"         503-774-8280       Portland, OR
> Internet Consulting, Intelligent Web site Development & Secure site Hosting.
> http://www.WebArchitecture.com/
> 
> "This is an era when nonsense has become acceptable and sanity is 
> controversial."
>                                       - Thomas Sowell
> ------------------------------------------------
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 






More information about the PLUG mailing list