| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Daniel Iliev wrote: |
| 5 |
> My point is that digital signatures are not designed to spare any |
| 6 |
> troubles, just the opposite. The idea is to deprive the sender of |
| 7 |
> opportunity to say "that's not a message of mine" and the sole purpose |
| 8 |
> of digital signatures is to provide a means of verifying the origin [1] |
| 9 |
> and integrity [2] of a message. |
| 10 |
|
| 11 |
Agreed. |
| 12 |
|
| 13 |
> |
| 14 |
> 1. Trouble saving |
| 15 |
> Will signatures help if a mailing list (ML) receives spam? |
| 16 |
> No. The admins won't accept arguments like "Those mails weren't signed, |
| 17 |
> it's not me". Signature or not the address gets its ban and that's it. |
| 18 |
|
| 19 |
Agreed, because of the way the subscription process works. The way how |
| 20 |
someone subscribed to a list is _only_ with a e-mail address. This would |
| 21 |
change if the subscription process would demand a signature. |
| 22 |
|
| 23 |
> |
| 24 |
> 2. Origin authentication |
| 25 |
> MLs like this one are nothing but bunch of people who help each other |
| 26 |
> on voluntary basis w/o knowing each other in person. |
| 27 |
|
| 28 |
Agreed. |
| 29 |
|
| 30 |
> Hence no need for [1]. |
| 31 |
|
| 32 |
No fully agreed, because if someone is signing his messages, all other |
| 33 |
subscribers have the possibility to see whether it's the same person or |
| 34 |
not. Not in the sense of real live identity but at least same Nick or |
| 35 |
Name. In my case for example "Wolf Canis". Would know a message reach |
| 36 |
the ML with my Name but no signature or a different signature, could one |
| 37 |
relatively be sure about the fact that this particular message is not |
| 38 |
from the original "Wolf Canis". |
| 39 |
|
| 40 |
> |
| 41 |
> 3. Integrity |
| 42 |
> Besides the few very obvious exceptions there is no person that has the |
| 43 |
> opportunity to alter all messages. In public places like MLs, web |
| 44 |
> forums, etc the correct answer usually comes out after a discussion |
| 45 |
> involving several people. So, tempering with single person's messages |
| 46 |
> is pointless. Hence no need for [2] |
| 47 |
|
| 48 |
Except if the message is malicious, abusive etc. |
| 49 |
|
| 50 |
> |
| 51 |
> 4. Unavailability |
| 52 |
> I can't verify the validity of the signatures, even if I wished to, |
| 53 |
> because I don't have the corresponding public keys. |
| 54 |
|
| 55 |
Why not? Every public key is downloadable, except one created a key |
| 56 |
and forgot to upload the public key, in this case is his/her signature |
| 57 |
pointless. |
| 58 |
|
| 59 |
> |
| 60 |
> 5. Trust |
| 61 |
> Even if all public keys were easily obtainable and I had the wish to |
| 62 |
> install them, are all of them signed by a certificate authorities which |
| 63 |
> I trust? |
| 64 |
|
| 65 |
Agreed but I would say that we have to differentiate between real live |
| 66 |
and virtual live. Both of them can or can not trustful. |
| 67 |
|
| 68 |
> |
| 69 |
> |
| 70 |
> Bottom line: I see no reason for signing messages to MLs like this one. |
| 71 |
|
| 72 |
Disagree, because of the possibility that without signatures it's |
| 73 |
relatively easy to bring a subscriber into discredit. |
| 74 |
|
| 75 |
|
| 76 |
W. Canis |
| 77 |
-----BEGIN PGP SIGNATURE----- |
| 78 |
Version: GnuPG v2.0.9 (GNU/Linux) |
| 79 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 80 |
|
| 81 |
iEYEARECAAYFAkg70+wACgkQKT9zBKF0twUy0QCeK2ZtAIL+SKPZcNrVE1FIq8Af |
| 82 |
E3QAmwbOHN6RaLtva4GoBqe4wOeWnRVI |
| 83 |
=Vquz |
| 84 |
-----END PGP SIGNATURE----- |
| 85 |
-- |
| 86 |
gentoo-user@l.g.o mailing list |
Archives