[free-sklyarov] Why don't the subscribers of this mailing list use gpg og pgp?

Karsten M. Self kmself at ix.netcom.com
Thu Sep 13 12:11:49 PDT 2001


on Thu, Sep 13, 2001 at 09:02:48AM -0700, Charles Eakins (admin at seattle-chat.com) wrote:

> From: free-sklyarov-admin at zork.net Sent: Thursday, September 13, 2001 8:38 AM

> > I find it ironic that on a mailing list devoted to freeing someone
> > who is facing many years in prison for cracking ROT-13 encryption,
> > only one member of the mailing list consistantly signs his mail. 

Rather more than one, I note.

> > I have seen several posts saying that there are many legitimate
> > reasons for using encryption on a daily basis.  These arguments make
> > sence up until you realise that >99% of the people on the mailing
> > list are not only not using it but also making it difficult to use.
> > If we don't use encryption on a daily basis then our defence of it
> > is more hypothetical and not as easy for people to relate to.  
> > 
> > If every one one this mailing list starts to sign all their email
> > the topics that we care about will be brought up by our
> > correspondents. And people will start to relise,  "I want people to
> > know that I really sent that email." and make the whole discusion
> > much more main stream.  It isn't "some mafia figure doesn't want the
> > government reading his mail" It's "I don't want the government
> > reading MY mail." And when the inevitable question comes up " What
> > does someone using encription have to hide?" The answer is "None of
> > your buisiness." not "good question."

Strong agreement.

<...>

> > If you use linux and use mutt or evolution. using gpg is seamless
> > once it is setup.

> I'm not saying anything on this list that needs to be encrypted.

The issue was signing, which provides authentication, not encryption,
which is essentially worthless in open conversation.

There is a utility to authenticating messages sent to a public list.
There is an absolute positive public benefit to being able to distribute
general-distribution messages during wartime, and authenticate that, to
a high degree of assurance, issue from an authority, and not an
imposter.

You're right, insofar as you're not saying anything that has to be
encrypted.  If your comments were of substance (frankly, they're not
IMVAO), signatures, associated with a PKI web of trust, would be of some
use.

Borrowing from my own rant on the subject:


So, Why Do You Insist On Signing Your Mail Anyway?

    Fair question.

    Part of the reason is for your benefit, where you are the reader of
    my mail.  It is your responsibility to ensure that what you are
    reading as attributed to me is in fact my own writing.  While
    digital (or sometimes "electronic" signatures now carry some legal
    standing, I'm not vesting my GPG hash with this power.  However, you
    can be pretty confident that words appearing over my signature,
    verified against my public key, were written by me, or by someone
    who has access to my computer, my private key, and the pass-key
    necessary to utilize it.

    Why is it your responsibility?  Simple:  you know you've received
    mail from me.  I may or may not know I've sent it.  As is well
    known, email is an insecure, unauthenticated medium.  It's quite
    possible that someone is sending something claiming to be someone
    they aren't.  In fact, this happens as a matter of course with spam.
    Since you (the recipient) have the evidence in front of your eyes,
    and I've no idea it's been sent, if it's not from me, the burden of
    authentication lies with the recipient.

    If it's not signed by me, your assumption should be that it isn't
    *from* me.

    A large reason though is to encourage and advocate use and adoption
    of tools that support public key infrastructure (PKI) methods, both
    the ability to create and properly process signed and encrypted
    mail.  I've found myself at several times needing to send
    authenticated or encrypted mail to persons, only to find that the
    recipients did not have a public key, PKI support within their
    mailer, or even, at times, a mailer capable of supporting PKI.


    It's been suggested variously that I sign messages inline, or in
    some instances, that mailing lists drop all MIME-encoded
    attachments.  I believe this is the wrong solution for two reasons:

      - It breaks useful behavior.  MIME attachments *can* provide
	useful information.

      - It's not the root problem.  The root problem is mail clients
	which handle untrusted content in an insecure fashion.  

	Palliative measures to reduce the apparent risk without
	addressing the actual cause mask the problem without fixing it.
	If sufficient people feel the pain, we'll eventually see changes
	either to client behavior or choice.

Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>          http://kmself.home.netcom.com/

Praying for the victims. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://frotz.zork.net/pipermail/free-sklyarov/attachments/20010913/9223eada/attachment.pgp


More information about the Free-sklyarov mailing list