| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Boyd Stephen Smith Jr. wrote: |
| 5 |
> On Saturday 30 September 2006 01:39, "Duncan" <1i5t5.duncan@×××.net> wrote |
| 6 |
> about '[gentoo-amd64] Re: How To Play WMV (thread drift -slaveryware)': |
| 7 |
>> "Boyd Stephen Smith Jr." <bss03@××××××××××.net> posted |
| 8 |
>> 200609300101.09472.bss03@××××××××××.net, excerpted below, on Sat, 30 |
| 9 |
>> Sep |
| 10 |
>> 2006 01:01:05 -0500: |
| 11 |
>>> Apparently his mailer |
| 12 |
>>> (Thunderbird + Enigmail) seems to be singing his messages twice. |
| 13 |
>> He's signing using two different formats, apparently, smime and pgp/gpg. |
| 14 |
> |
| 15 |
> Yeah, they should probably only use one technique to sign their messages. |
| 16 |
> inline PGP/GPG is deprecated, IIRC, because it doesn't handle attachments |
| 17 |
> well (or at all?). S/MIME is preferred now but, inline PGP/GPG, being a |
| 18 |
> bit older, has better support. I know kmail still has some ease-of-use |
| 19 |
> issues with S/MIME, but I don't think it affects correctness. |
| 20 |
> |
| 21 |
|
| 22 |
Well, I can probably shed some light on things: |
| 23 |
|
| 24 |
1. Yes, my messages are signed twice (gpg and s/mime). I found half |
| 25 |
the mailers out there support one or the other, but not always both. |
| 26 |
So, I use both. Probably doesn't hurt much other than the inline gpg. |
| 27 |
|
| 28 |
2. The signatures probably are valid on every mail reader out there - |
| 29 |
as far as I can tell. |
| 30 |
|
| 31 |
3. HOWEVER, the s/mime signature is using a cert from cacert.org, which |
| 32 |
hasn't paid for a webtrust audit - and therefore is not in the root cert |
| 33 |
list for most browsers/email clients. So, while the signature is valid, |
| 34 |
the chain of trust probably isn't. |
| 35 |
|
| 36 |
4. cacert is about as open-source as you can get for something like a |
| 37 |
CA. Unfortunately, while gpg uses the web-of-trust model s/mime uses a |
| 38 |
top-down model. While most users don't think about it, they're |
| 39 |
implicitly allowing whoever distributes their software to decide who |
| 40 |
they will trust... (As an aside, cacert.org is interested in trying to |
| 41 |
get more mainstream support, but for various (often reasonable) reasons |
| 42 |
most distributors are more interested in just deferring to webtrust - |
| 43 |
which is VERY expensive.) The community really does need a better |
| 44 |
solution for SSL certs. (Yes, you can get an s/mime cert free from the |
| 45 |
big players, but you certainly can't get one for https...) |
| 46 |
-----BEGIN PGP SIGNATURE----- |
| 47 |
Version: GnuPG v1.4.5 (GNU/Linux) |
| 48 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 49 |
|
| 50 |
iD8DBQFFH7LpG4/rWKZmVWkRAh7TAJ0aTgiu1rueTzyUa90OQdi+oWf6HQCcDGfe |
| 51 |
7FFtEFj+VjjMHiYi8yWGIyk= |
| 52 |
=1EY6 |
| 53 |
-----END PGP SIGNATURE----- |
Archives