| 1 |
On Mon, 26 May 2008 16:16:47 +0100 |
| 2 |
Mick <michaelkintzios@×××××.com> wrote: |
| 3 |
|
| 4 |
> On Monday 26 May 2008, Daniel Iliev wrote: |
| 5 |
> > On Sun, 25 May 2008 20:04:29 +0200 |
| 6 |
> > |
| 7 |
> > Wolf Canis <wolf.canis@××××××××××.com> wrote: |
| 8 |
> > > Mick wrote: |
| 9 |
> |
| 10 |
> > > > There are other lists however, when |
| 11 |
> > > > it is not that rare for malicious (or unhinged) individuals to |
| 12 |
> > > > impersonate someone else and hijack their email address to |
| 13 |
> > > > publish offensive content. After a while using a digital |
| 14 |
> > > > signature (GnuPG or x509) becomes a habit. |
| 15 |
> > > |
| 16 |
> > > That's exactly the case. ;-) |
| 17 |
> > |
| 18 |
> > Two questions. |
| 19 |
> > How would signing your emails to this list help you: |
| 20 |
> > - in avoiding the above to happen to you? |
| 21 |
> > - help you in case that happens after all? |
| 22 |
> > |
| 23 |
> > |
| 24 |
> > Explain, please. |
| 25 |
> |
| 26 |
> The reason I have given above does not apply as much to this list (so |
| 27 |
> far). In any case, the principle is that unless I have signed this |
| 28 |
> message you cannot be sure that it was authored/sent by me and as a |
| 29 |
> matter of course you should assume that it was sent by someone else. |
| 30 |
> You can then trust/distrust the content of the message and the |
| 31 |
> potential impact of any advice offered in it accordingly. |
| 32 |
> |
| 33 |
> As far as this list is concerned singed messages don't cause any |
| 34 |
> harm. Once you set your client to sign messages, that's what it |
| 35 |
> does . . . |
| 36 |
> |
| 37 |
|
| 38 |
|
| 39 |
My point is that digital signatures are not designed to spare any |
| 40 |
troubles, just the opposite. The idea is to deprive the sender of |
| 41 |
opportunity to say "that's not a message of mine" and the sole purpose |
| 42 |
of digital signatures is to provide a means of verifying the origin [1] |
| 43 |
and integrity [2] of a message. |
| 44 |
|
| 45 |
1. Trouble saving |
| 46 |
Will signatures help if a mailing list (ML) receives spam? |
| 47 |
No. The admins won't accept arguments like "Those mails weren't signed, |
| 48 |
it's not me". Signature or not the address gets its ban and that's it. |
| 49 |
|
| 50 |
2. Origin authentication |
| 51 |
MLs like this one are nothing but bunch of people who help each other |
| 52 |
on voluntary basis w/o knowing each other in person. |
| 53 |
Hence no need for [1]. |
| 54 |
|
| 55 |
3. Integrity |
| 56 |
Besides the few very obvious exceptions there is no person that has the |
| 57 |
opportunity to alter all messages. In public places like MLs, web |
| 58 |
forums, etc the correct answer usually comes out after a discussion |
| 59 |
involving several people. So, tempering with single person's messages |
| 60 |
is pointless. Hence no need for [2] |
| 61 |
|
| 62 |
4. Unavailability |
| 63 |
I can't verify the validity of the signatures, even if I wished to, |
| 64 |
because I don't have the corresponding public keys. |
| 65 |
|
| 66 |
5. Trust |
| 67 |
Even if all public keys were easily obtainable and I had the wish to |
| 68 |
install them, are all of them signed by a certificate authorities which |
| 69 |
I trust? |
| 70 |
|
| 71 |
|
| 72 |
Bottom line: I see no reason for signing messages to MLs like this one. |
| 73 |
|
| 74 |
|
| 75 |
-- |
| 76 |
Best regards, |
| 77 |
Daniel |
| 78 |
-- |
| 79 |
gentoo-user@l.g.o mailing list |
Archives