Greg Sabino Mullane on Tue, 4 Dec 2001 13:30:21 +0100


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] What's smime.p7s? (Was: Ginger)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To echo some of the excellent points of gabriel rosenkoetter's 
post and add my own two cents:

There are generally two ways to sign something you've written: 
use an attachment (a detached signature), or make the signature 
and message into a single file (clear text signature). I prefer 
the latter method, especially on mailing lists, but I don't 
begrudge those choose attachments. (matter of fact, I consider 
gpg sigs to be the exception to the 'never post attachments to a 
miling list' rule). To make an "inline" sig (like this very 
message) using gpg:

gpg -a --clearsign yourmessage > yoursignedmessage

I think using something besides gpg is a losing battle, 
(even more so on a linux mailing list), as it is hard enough to 
convince people to use gpg without introducing other schemes. 
Especially from companies like VeriSign. The CA model is 
too full of holes for anyone to seriously consider.

As pointed out before, by signing this email, I am accomplishing 
three things:

Authentication: You can guarantee that nobody except me could 
possibly have written this message.

Integrity: It's got a built-in checksum. Change one character, 
and my signature will not verify.

Non-repudiation: I cannot later deny that I sent this message.

By the way, gpg is available on many platforms, including 
Linux and Windows, for those that want to try something 
free and portable. Spoofing email from somebody else is so 
incredibly easy I'm surprised that more people don't use 
gpg, if for no other reason than to prevent such spoofing.


Free, open-source, portable, powerful:
http://www.gnupg.org

Article that mentions one reason not to trust VeriSign:
http://webdeveloper.earthweb.com/websecu/article/0,,12013_772511,00.html

The problem with CAs in general:
http://www.counterpane.com/pki-risks-ft.txt


Greg Sabino Mullane
greg@turnstep.com
PGP Key: 0x14964AC8 200112040659

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iQA/AwUBPAy/fbybkGcUlkrIEQJ7EQCfeL8arkG5CvNlPatdztArbEwxN0EAnjGq
Z3mXJ90cowyIlzAOQD6Xs1O2
=mUs5
-----END PGP SIGNATURE-----



______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug