| gabriel rosenkoetter on Mon, 3 Dec 2001 23:51:17 -0500 |
|
On Mon, Dec 03, 2001 at 10:24:47PM -0500, Arthur S. Alexion wrote: > >This is not an issue of secrecy, it's one of authentication. > Right. Is that important for list mail? Authentication is always important. I state this as a truism because I believe it as such. But as justification... have you noticed that everyone just believes that emails from a given email address really come from someone? Email is the *easiest* of identity theft targets. All I have to do is know a minimum of information about your dealings with some person (which is easy, especially with email correspondents, because all of your email correspondence is probably in clear text anyhow and reading yours is some minimal verbal coercion away, even easier if I know about the situation I want to affect, since I'm probably already interested with in that situation), and I can impersonate you with incredible ease. SMTP provides *no* authentication. POP-before-SMTP provides minimal authentication. Public/private key signature methods provide absolute authentication which, experimentally to this date, I'm incapable of falsifying. Think about why (hand-written) signatures are considered important in the paper world. And they're far easier to spoof than electronic signatures. I choose to sign my email using the OpenPGP standard. Other people choose other standards. As yet, I've had no reason to check other standards. But it's not like I couldn't. Also, if I email (and I've forgotten the name of the S/MIME user, nuts) and get his public key now (or retrieve it from a third party), it's not just that I can verify that he sent some new, important information to me, but also that I can verify anything he's ever sent to me before. Even if I don't know him personally, I know he's the same person I've seen send messages to PLUG and I know we have an established relationship. It doesn't matter if he is who he says he is, as long as he's said the same thing about who he is all along, I know that whoever's saying the important thing to me is the same person. (Well, provided he's kept his private key secure, but that's implementation, not conceptual.) This is why I (and plenty of other people) electronically sign all of my correspondence. It's why you should too. > But sometimes I want to save the messages, especially if they address a > problem similar to one I am experiencing. If you're making a special effort to save it, then delete the attachment out of it. I do that kind of thing routinely. Especially in email to the NetBSD lists the concept of which I want but the patch or sample code from which someone else is going to commit anyway. I'm not suggesting that I don't think the signature is ridiculously large. That may also be a configuration issue. If not, then it's silly software, and a good sign that OpenPGP is a better way to go. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgp2zv5sr9BMT.pgp
|
|