| Bob Razler on Tue, 4 Dec 2001 14:50:19 +0100 |
|
I had played around with PGP verification. From what I remember, the biggest obstacle was that it didn't support multiple accounts on one email client. Here at the office I have my office email, my personal email and my ISP. I wanted to be able to send authenticated email from all three from the same client. Using Verisign allows issuance and installation of multiple certificates into my outlook client letting me authenticate email that I choose to send from any of my accounts. Robert J. Razler, Esq. Approvals Manager Heritage Building Group, Inc. Suite A-100 3326 Old York Road Furlong, PA 18925 215.794.0550, ext. 117 www.heritagebuildinggroup.com brazler@heritagebuildinggroup.com -----Original Message----- From: plug-admin@lists.phillylinux.org [mailto:plug-admin@lists.phillylinux.org] On Behalf Of Greg Sabino Mullane Sent: Tuesday, December 04, 2001 7:33 AM To: plug@lists.phillylinux.org Subject: Re: [PLUG] What's smime.p7s? (Was: Ginger) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To echo some of the excellent points of gabriel rosenkoetter's post and add my own two cents: There are generally two ways to sign something you've written: use an attachment (a detached signature), or make the signature and message into a single file (clear text signature). I prefer the latter method, especially on mailing lists, but I don't begrudge those choose attachments. (matter of fact, I consider gpg sigs to be the exception to the 'never post attachments to a miling list' rule). To make an "inline" sig (like this very message) using gpg: gpg -a --clearsign yourmessage > yoursignedmessage I think using something besides gpg is a losing battle, (even more so on a linux mailing list), as it is hard enough to convince people to use gpg without introducing other schemes. Especially from companies like VeriSign. The CA model is too full of holes for anyone to seriously consider. As pointed out before, by signing this email, I am accomplishing three things: Authentication: You can guarantee that nobody except me could possibly have written this message. Integrity: It's got a built-in checksum. Change one character, and my signature will not verify. Non-repudiation: I cannot later deny that I sent this message. By the way, gpg is available on many platforms, including Linux and Windows, for those that want to try something free and portable. Spoofing email from somebody else is so incredibly easy I'm surprised that more people don't use gpg, if for no other reason than to prevent such spoofing. Free, open-source, portable, powerful: http://www.gnupg.org Article that mentions one reason not to trust VeriSign: http://webdeveloper.earthweb.com/websecu/article/0,,12013_772511,00.html The problem with CAs in general: http://www.counterpane.com/pki-risks-ft.txt Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200112040659 -----BEGIN PGP SIGNATURE----- Comment: http://www.turnstep.com/pgp.html iQA/AwUBPAy/fbybkGcUlkrIEQJ7EQCfeL8arkG5CvNlPatdztArbEwxN0EAnjGq Z3mXJ90cowyIlzAOQD6Xs1O2 =mUs5 -----END PGP SIGNATURE----- ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug Attachment:
smime.p7s
|
|