Re: [PLUG] What's smime.p7s? (Was: Ginger)

Greg Sabino Mullane on Tue, 4 Dec 2001 13:30:21 +0100

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] What's smime.p7s? (Was: Ginger)

From: "Greg Sabino Mullane" <greg@turnstep.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] What's smime.p7s? (Was: Ginger)

Date: Tue, 4 Dec 2001 12:33:28 -0000

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To echo some of the excellent points of gabriel rosenkoetter's post and add my own two cents: There are generally two ways to sign something you've written: use an attachment (a detached signature), or make the signature and message into a single file (clear text signature). I prefer the latter method, especially on mailing lists, but I don't begrudge those choose attachments. (matter of fact, I consider gpg sigs to be the exception to the 'never post attachments to a miling list' rule). To make an "inline" sig (like this very message) using gpg: gpg -a --clearsign yourmessage > yoursignedmessage I think using something besides gpg is a losing battle, (even more so on a linux mailing list), as it is hard enough to convince people to use gpg without introducing other schemes. Especially from companies like VeriSign. The CA model is too full of holes for anyone to seriously consider. As pointed out before, by signing this email, I am accomplishing three things: Authentication: You can guarantee that nobody except me could possibly have written this message. Integrity: It's got a built-in checksum. Change one character, and my signature will not verify. Non-repudiation: I cannot later deny that I sent this message. By the way, gpg is available on many platforms, including Linux and Windows, for those that want to try something free and portable. Spoofing email from somebody else is so incredibly easy I'm surprised that more people don't use gpg, if for no other reason than to prevent such spoofing. Free, open-source, portable, powerful: http://www.gnupg.org Article that mentions one reason not to trust VeriSign: http://webdeveloper.earthweb.com/websecu/article/0,,12013_772511,00.html The problem with CAs in general: http://www.counterpane.com/pki-risks-ft.txt Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200112040659 -----BEGIN PGP SIGNATURE----- Comment: http://www.turnstep.com/pgp.html iQA/AwUBPAy/fbybkGcUlkrIEQJ7EQCfeL8arkG5CvNlPatdztArbEwxN0EAnjGq Z3mXJ90cowyIlzAOQD6Xs1O2 =mUs5 -----END PGP SIGNATURE----- ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

[PLUG] Re: Digital Signatures
From: Leonard Rosenthol <leonardr@lazerware.com>

Prev by Date: Re: [PLUG] What's smime.p7s? (Was: Ginger)

Next by Date: Re: [PLUG] What's smime.p7s? (Was: Ginger)

Previous by thread: RE: [PLUG] What's smime.p7s? (Was: Ginger)

Next by thread: [PLUG] Re: Digital Signatures

Index(es):

Date

Thread