Please change the subject line. The last few messages in this thread have no connection to GNUunify 2011.
Also please avoid 17 lines of PGP public key in each and every message. IMO it is as bad as legal disclaimers; instead post it on a public key server and give a link to it.
-- Arun Khan
2011/1/25 Arun Khan knura9@gmail.com:
Also please avoid 17 lines of PGP public key in each and every message. IMO it is as bad as legal disclaimers; instead post it on a public key server and give a link to it.
Just nitpicking; Nitesh Mistry's email contains a PGP signature - not the public key. To verify the signature, one needs the public key - there are no instructions in the email on how to get it (I doubt if it is published in any keyserver either). So yes, you are right - the signature is completely useless.
Binand
On Tue, Jan 25, 2011 at 4:04 PM, Binand Sethumadhavan binand@gmail.com wrote:
2011/1/25 Arun Khan knura9@gmail.com:
Also please avoid 17 lines of PGP public key in each and every message. IMO it is as bad as legal disclaimers; instead post it on a public key server and give a link to it.
Just nitpicking; Nitesh Mistry's email contains a PGP signature - not the public key.
Mea culpa :)
On Tue, Jan 25, 2011 at 04:04:17PM +0530, Binand Sethumadhavan wrote:
2011/1/25 Arun Khan knura9@gmail.com:
Also please avoid 17 lines of PGP public key in each and every message. IMO it is as bad as legal disclaimers; instead post it on a public key server and give a link to it.
Just nitpicking; Nitesh Mistry's email contains a PGP signature - not the public key. To verify the signature, one needs the public key -
Absolutely right!
there are no instructions in the email on how to get it (I doubt if it is published in any keyserver either). So yes, you are right - the signature is completely useless.
Wrong. In all my emails, I mention my PGP key id below my name. So anyone can download it from a public keyserver and verify it. Anyone who knows about PGP would know how to do that. I don't give those instructions on how to do it, because there are zillions of websites that provide such instructions (hint: there is link on the contact page of my website - a narcissist, you might call me :P). Also because, writing those instructions in every email again would tick off some people on this list (and rightly so). Any MUA which supports PGP encryption/authentication would parse the signature instead of showing those lines in the email. If set up properly, it can also be made to automatically download the key with which message was signed without user intervention and only show relevant information like the owner of the key and the time of making the signature, etc.
Do not discard public key authentication/encryption as useless. They might be the last available avenues to protect privacy. IMHO, signing messages is a healthy practice.
PS: Yo! this list is back to normalcy. :D
On Tue, 2011-01-25 at 16:41 +0530, Nitesh Mistry wrote:
Do not discard public key authentication/encryption as useless. They might be the last available avenues to protect privacy. IMHO, signing messages is a healthy practice.
on a mailing list?
On Tue, Jan 25, 2011 at 04:47:01PM +0530, Kenneth Gonsalves wrote:
On Tue, 2011-01-25 at 16:41 +0530, Nitesh Mistry wrote:
Do not discard public key authentication/encryption as useless. They might be the last available avenues to protect privacy. IMHO, signing messages is a healthy practice.
on a mailing list?
especially on a mailing list.
On Tue, 2011-01-25 at 17:08 +0530, Nitesh Mistry wrote:
is a healthy practice.
on a mailing list?
especially on a mailing list.
why?
2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
Wrong. In all my emails, I mention my PGP key id below my name. So anyone can download it from a public keyserver and verify it. Anyone who knows
You see, I typed all that after checking whether the key is available on keyserver1.pgp.com. It is not (that is the keyserver I have setup my gpg to look for keys automatically).
Even if I had found your key on a server, what does it tell me? Nothing. Your key is not trusted by anyone at all; so what is the use? The concept of Web of Trust is not utilized in your key at all.
Do not discard public key authentication/encryption as useless. They might be the last available avenues to protect privacy. IMHO, signing messages is a healthy practice.
How exactly does simply *signing* messages with your private key protect "privacy"? If you were *encrypting* messages with the recipient's public key, I would have understood (though I'd imagine it is of little value, considering this list is publicly archived), but just signing?
Do not overuse public key authentication/encryption. It is of value if both encryption and signing is used in conjunction. For that, both sender and recipient needs to have both public and private keys. Either process alone has value only in very few use cases - posting to a mailing list I don't think is one of them (unless you are someone who is frequently impersonated - even then, without the WoT signing is of little value).
Binand
On Tue, Jan 25, 2011 at 05:09:30PM +0530, Binand Sethumadhavan wrote:
2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
Wrong. In all my emails, I mention my PGP key id below my name. So anyone can download it from a public keyserver and verify it. Anyone who knows
You see, I typed all that after checking whether the key is available on keyserver1.pgp.com. It is not (that is the keyserver I have setup my gpg to look for keys automatically).
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers.
Even if I had found your key on a server, what does it tell me? Nothing. Your key is not trusted by anyone at all; so what is the use? The concept of Web of Trust is not utilized in your key at all.
So first the problem was that there was no instruction in the mail on how to verify the signature, and now the problem is that it is not signed! BTW, how can one say that if it couldn't be found the key on the keyserver.
Do not discard public key authentication/encryption as useless. They might be the last available avenues to protect privacy. IMHO, signing messages is a healthy practice.
How exactly does simply *signing* messages with your private key protect "privacy"? If you were *encrypting* messages with the recipient's public key, I would have understood (though I'd imagine it is of little value, considering this list is publicly archived), but just signing?
Do not overuse public key authentication/encryption. It is of value if both encryption and signing is used in conjunction. For that, both sender and recipient needs to have both public and private keys. Either process alone has value only in very few use cases - posting to a mailing list I don't think is one of them (unless you are someone who is frequently impersonated - even then, without the WoT signing is of little value).
What better way to popularise use of pgp than to sign messages to a public mailing list. Atleast I came to know about it only when I saw them on these mailing lists. And if it doesn't get popular, how can we have more keysigning, and a strong web of trust. A case of chicken and egg?
Is it really necessary that the key has to be signed before it can be used for signing?
I believe signing messages also indicates ownership of the content of the message. And though the key is not signed at the moment, it can always be authenticated anytime, if anyone wants to.
2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers.
Therein lies the point. Should I (or anyone who'd like to verify your signature) go around every keyserver looking for your key? How do I know which keyserver to look on?
So first the problem was that there was no instruction in the mail on how to verify the signature, and now the problem is that it is not signed!
The problem is neither of the above - it is that signing messages add no value to their contents, if signed with a key that is trusted by no one. And unless you are someone who is frequently impersonated, there is no point in signing messages sent to a public access mailing list. It only reduces the S/N further.
BTW, how can one say that if it couldn't be found the key on the keyserver.
I did make an effort to locate your key and evaluate your usage, you know.
What better way to popularise use of pgp than to sign messages to a public mailing list. Atleast I came to know about it only when I saw them on
Your system has loopholes. You say that the keyserver to search on is mentioned on your homepage, a link to which (along with the key ID) is included in your email, whose signature the recipient is supposed to verify. Do you see the circular logic here that negates any advantage you might have had from signing the message?
The popularity of pgp should be based on its merits - not based on incorrect and faulty usage that puts users at more risk than they were.
I believe signing messages also indicates ownership of the content of the message. And though the key is not signed at the moment, it can always be authenticated anytime, if anyone wants to.
An untrusted key does nothing of that sort. For example, anybody can register niteshmistry.com, setup an email ID and website, generate a key, upload it to a keyserver and start signing messages as mailbox@niteshmistry.com. Without the WoT, how do you protect your correspondents from this scenario?
Even in the offline world, signing a document is usually not enough - a witness should countersign indicating that he knows the person signing and vouches that the signature is authentic. The WoT extends this concept to the Internet.
Binand
On Wednesday 26 Jan 2011, Binand Sethumadhavan wrote:
2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers.
Therein lies the point. Should I (or anyone who'd like to verify your signature) go around every keyserver looking for your key? How do I know which keyserver to look on?
Keyservers share information, so you will find a key on all keyservers within 48 hours or so of it being uploaded to one.
Regards,
-- Raj
On Wed, Jan 26, 2011 at 08:15:03AM +0530, Binand Sethumadhavan wrote:
2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers.
Therein lies the point. Should I (or anyone who'd like to verify your signature) go around every keyserver looking for your key? How do I know which keyserver to look on?
Use a keyserver that syncs data with others and you will be spared the effort.
So first the problem was that there was no instruction in the mail on how to verify the signature, and now the problem is that it is not signed!
The problem is neither of the above - it is that signing messages add no value to their contents, if signed with a key that is trusted by no one. And unless you are someone who is frequently impersonated, there is no point in signing messages sent to a public access mailing list. It only reduces the S/N further.
BTW, how can one say that if it couldn't be found the key on the keyserver.
I did make an effort to locate your key and evaluate your usage, you know.
What better way to popularise use of pgp than to sign messages to a public mailing list. Atleast I came to know about it only when I saw them on
Your system has loopholes. You say that the keyserver to search on is mentioned on your homepage, a link to which (along with the key ID) is included in your email, whose signature the recipient is supposed to verify. Do you see the circular logic here that negates any advantage you might have had from signing the message?
Just to aid you memory, I mentioned that there are zillions of websites which give information on what pgp keys are and how to download one from a keyserver and verify a message. My website is only one of them.
The popularity of pgp should be based on its merits - not based on
Don't you think merits should be popularised?
incorrect and faulty usage that puts users at more risk than they were.
How does signing my messages with a key that I own put someone at more risk?
I believe signing messages also indicates ownership of the content of the message. And though the key is not signed at the moment, it can always be authenticated anytime, if anyone wants to.
An untrusted key does nothing of that sort. For example, anybody can register niteshmistry.com, setup an email ID and website, generate a key, upload it to a keyserver and start signing messages as mailbox@niteshmistry.com. Without the WoT, how do you protect your correspondents from this scenario?
The fact that the message is signed indicates the ownership of the mail and that I am in physical control of that key. Anybody who has the urge or the need to verify it can do so by meeting in person. No other person will be able to do that. Keysigning and WoT only aides in doing so.
Do you mean to say that you would have had no objection if the key was signed? No, may be then, you would have had the problem that the key was not in your WoT, or something of that sort. How do you solve that problem? By bringing more and more people into the WoT (ofcourse after standard due-diligence). How do more people get to know about this? When you sign messages (especially messages in the public mailing list).
Even in the offline world, signing a document is usually not enough -
On the contrary it is 'usually' enough. Of how many documents that we sign, do you get them countersigned by a witness? Does that mean you do not sign a document unless there is a witness countersigning it?
a witness should countersign indicating that he knows the person signing and vouches that the signature is authentic. The WoT extends this concept to the Internet.
This is only in rare cases of legal documentation, where courts and other authorities want to spare themselves the effort of verifying the authenticity.
PS: I hope someone who was missing the activity on the list is having fun. :)
2011/1/26 Nitesh Mistry mailbox@mistrynitesh.net:
Even in the offline world, signing a document is usually not enough -
On the contrary it is 'usually' enough. Of how many documents that we sign, do you get them countersigned by a witness? Does that mean you do not sign a document unless there is a witness countersigning it?
I am ignoring everything else you have written (better sense prevails - proverbs about skirmishes with the suilline and all that), but this displays some naivete. Every non-trivial document (ie, one that is going to trigger a decision - especially financial - by a third party who is going to be held liable for that decision) you sign is authenticated by a witness, or by comparing with a signature authenticated previously. In case you have counter examples, let me know. Think of the list of documents you might have to sign - be it a cheque, a loan application, a tax return - anything - and the backend processing that happens.
Binand
On Sun, Jan 30, 2011 at 07:50:30AM +0530, Binand Sethumadhavan wrote:
2011/1/26 Nitesh Mistry mailbox@mistrynitesh.net:
Even in the offline world, signing a document is usually not enough -
On the contrary it is 'usually' enough. Of how many documents that we sign, do you get them countersigned by a witness? Does that mean you do not sign a document unless there is a witness countersigning it?
I am ignoring everything else you have written (better sense prevails
- proverbs about skirmishes with the suilline and all that), but this
displays some naivete. Every non-trivial document (ie, one that is going to trigger a decision - especially financial - by a third party who is going to be held liable for that decision) you sign is authenticated by a witness, or by comparing with a signature authenticated previously. In case you have counter examples, let me know. Think of the list of documents you might have to sign - be it a cheque, a loan application, a tax return - anything - and the backend processing that happens.
Didn't I write "USUALLY"? But what you say about backend processing is exactly what pgp does. And in the light of your own arguments, my signing the messages with pgp keys is more meaningful than you just writing your name below every message. Because anybody can write any name below the message, but nobody other than me can pgp sign a message with key id A6FEF696. If you want a proof that the name mentioned on the key A6FEF696 is really Nitesh Mistry, you are always welcome to meet me and I can give all the documents in the world to prove it (and no I won't bite you ;) ).
2011/2/2 Nitesh Mistry mailbox@mistrynitesh.net:
Didn't I write "USUALLY"? But what you say about backend processing is
Well, I did ask you for one of these "usual" signature examples where a signature authentication is not required.
the messages with pgp keys is more meaningful than you just writing your name below every message. Because anybody can write any name below the message, but nobody other than me can pgp sign a message with key id A6FEF696. If you want a proof that the name mentioned on the key A6FEF696 is really Nitesh Mistry, you are always welcome to meet me and I can give all the documents in the world to prove it (and no I won't bite you ;) ).
The point from day one is that it carries no additional meaning in a mailing list context; all you are doing is reducing the S/N. If you cannot grasp that, why bother?
In any case, I don't want to continue this argument any further as I mentioned in the previous mail. I do understand how a geek code or a pgp signature add to someone's geekness (irrespective of whether they are contextually appropriate or not). So carry on.
Binand
On Wed, 2011-02-02 at 12:05 +0530, Binand Sethumadhavan wrote:
I do understand how a geek code or a pgp signature add to someone's geekness
the urge to show off is one of the fundamental characteristics of the human male
On Wed, 2011-02-02 at 13:14 +0530, Nitesh Mistry wrote:
On Wed, Feb 02, 2011 at 12:18:16PM +0530, Kenneth Gonsalves wrote:
the urge to show off is one of the fundamental characteristics of
the
human male
Can anyone dare to differ ;)
they better not ;-)
2011/2/2 Nitesh Mistry mailbox@mistrynitesh.net:
I can fully understand why.
Surprising. But still, let me know when you find any "usual" case where a signature is accepted without validating its authenticity.
Binand
On Wednesday 02 February 2011 12:05 PM, Binand Sethumadhavan wrote:
The point from day one is that it carries no additional meaning in a mailing list context; all you are doing is reducing the S/N. If you cannot grasp that, why bother?
In any case, I don't want to continue this argument any further as I mentioned in the previous mail. I do understand how a geek code or a pgp signature add to someone's geekness (irrespective of whether they are contextually appropriate or not). So carry on.
Sometimes someone may have understood a concept but not in a totally correct way. The purpose of discussions on a group list is to dispel any mis-understanding of the person so that the concept is understood by all in a better way. Non participating readers benefit from reading all the points of the discussion and improve their own knowledge on the subject. The art of participation in the discussions is to grasp what part of the concept has been mis-understood and provide answers that are convincing enough to the other party. It is a two way process and is best handled when it is focused only in a technical way.
On Wednesday 02 Feb 2011, Binand Sethumadhavan wrote:
2011/2/2 Nitesh Mistry mailbox@mistrynitesh.net:
the messages with pgp keys is more meaningful than you just writing your name below every message. Because anybody can write any name below the message, but nobody other than me can pgp sign a message with key id A6FEF696. If you want a proof that the name mentioned on the key A6FEF696 is really Nitesh Mistry, you are always welcome to meet me and I can give all the documents in the world to prove it (and no I won't bite you ;) ).
The point from day one is that it carries no additional meaning in a mailing list context; all you are doing is reducing the S/N. If you cannot grasp that, why bother?
I don't agree that signing messages is reducing S/N on a list. PGP/GPG signing does accomplish the following:
- Encourage more people to ask questions about and hopefully adopt privacy-friendly practices in public communications.
- Establish a non-repudiable ownership of the content of the message.
- Establish prior art in case you put an idea into a message which someone steals.
I sign messages to mailing lists on a regular (if infrequent) basis, never had a complaint yet.
Of course, if Nitesh' key isn't available for download from a keyserver then the effectiveness of the signing does go down, but it still serves the same basic functions.
Regards,
-- Raj
-
Arun Khan -
Binand Sethumadhavan -
Kenneth Gonsalves -
Nitesh Mistry -
Raj Mathur (राज माथुर) -
Rony