| 1 |
On Monday 26 May 2008, Matt Harrison wrote: |
| 2 |
> Mick wrote: |
| 3 |
> > On Monday 26 May 2008, Daniel Iliev wrote: |
| 4 |
> > > On Sun, 25 May 2008 20:04:29 +0200 |
| 5 |
> > > |
| 6 |
> > > Wolf Canis <wolf.canis@××××××××××.com> wrote: |
| 7 |
> > >> Mick wrote: |
| 8 |
> > >>> There are other lists however, when |
| 9 |
> > >>> it is not that rare for malicious (or unhinged) individuals to |
| 10 |
> > >>> impersonate someone else and hijack their email address to publish |
| 11 |
> > >>> offensive content. After a while using a digital signature (GnuPG |
| 12 |
> > >>> or x509) becomes a habit. |
| 13 |
> > >> |
| 14 |
> > >> That's exactly the case. ;-) |
| 15 |
> > > |
| 16 |
> > > Two questions. |
| 17 |
> > > How would signing your emails to this list help you: |
| 18 |
> > > - in avoiding the above to happen to you? |
| 19 |
> > > - help you in case that happens after all? |
| 20 |
> > > |
| 21 |
> > > |
| 22 |
> > > Explain, please. |
| 23 |
> > |
| 24 |
> > The reason I have given above does not apply as much to this list (so |
| 25 |
> |
| 26 |
> far). |
| 27 |
> |
| 28 |
> > In any case, the principle is that unless I have signed this message you |
| 29 |
> > cannot be sure that it was authored/sent by me and as a matter of |
| 30 |
> |
| 31 |
> course you |
| 32 |
> |
| 33 |
> > should assume that it was sent by someone else. You can then |
| 34 |
> |
| 35 |
> trust/distrust |
| 36 |
> |
| 37 |
> > the content of the message and the potential impact of any advice |
| 38 |
> |
| 39 |
> offered in |
| 40 |
> |
| 41 |
> > it accordingly. |
| 42 |
> > |
| 43 |
> > As far as this list is concerned singed messages don't cause any |
| 44 |
> |
| 45 |
> harm. Once |
| 46 |
> |
| 47 |
> > you set your client to sign messages, that's what it does . . . |
| 48 |
> |
| 49 |
> Just a word of caution: |
| 50 |
> |
| 51 |
> You can never fully trust even a signed message unless you have |
| 52 |
> physically met the person in question and they have given you their key |
| 53 |
> signature on some secure media such as a floppy disk. Downloaded keys |
| 54 |
> from keyservers are not a guarantee that the key was made my the person |
| 55 |
> in question. Unless I know the person well and they have provided means |
| 56 |
> of verifying the key, I would only ever award marginal trust. |
| 57 |
|
| 58 |
I've been to a couple of key signing parties at Gentoo events. All other |
| 59 |
signatures (except for my wife's) are simply not trusted. When a signature |
| 60 |
is shown as bad then the message in question is *definitely* not trusted. On |
| 61 |
the other hand, I wouldn't hesitate to accept as marginally trusted (a few) |
| 62 |
posters who have been frequenting this M/L for yonks, have given |
| 63 |
knowledgeable and reliable advice and have been showing the same fingerprint |
| 64 |
for years. |
| 65 |
|
| 66 |
Trust is a personal call - the digital signature is merely a means to |
| 67 |
facilitate it. |
| 68 |
-- |
| 69 |
Regards, |
| 70 |
Mick |
Archives