[ On Thursday, September 23, 2004 at 11:39:03 (-0700), John W. Baxter wrote: ]
> Subject: Re: [exim] support for domainkeys
>
> Where the private key and passphrase haven't been stolen from the machine(s)
> at one end or the other of the pair of people. (The theft can be rendered
> moot, but only after it's detected.)
Yeah, well that's an entirely separate issue and not really relevant here.
> And where the two people are both in countries where encryption is legal (or
> they don't care).
Well, yeah, local politics can get in the way of global communications,
and sometimes in the way of local communications too, depending on how
draconian one's local jurisdiction is. People must live with the
situations they create for themselves.
> And if the people involved avoid 8-bit problems in
> transmission.
I haven't seen any problem at this level for almost a decade.
(charset confusion, yes, but binary transparency for e-mail is a
non-issue, especially since all forms of encryption used in PGP e-mail
have always been "ascii-armoured")
> And, for the s/mime form, where intervening mail servers haven't stripped
> the MIME part or done other damage to the signed portion of the message
> (detection is easy...avoidance may not be).
Yeah, same problem for PGP/MIME (or whatever it's called).
But this is really just an example of either well-intentioned people
misunderstanding the problem and doing exactly the wrong things in a
lame attempt to fix what they don't understand; or of people just not
caring and blatantly violating protocol levels in order to stomp out
something they don't like for whatever reason.
Sure it's nice to have an HTML-free mailing list, but at what cost?
> Your message (in the less vulnerable form of signing) seems to have survived
> all that.
>
> *** Status: Good Signature from Invalid Key
> *** Alert: Verify signer's key before trusting.
What horrible, confusing, misleading, error messages your PGP software
writes!
Computer programmers are notorious for using English very badly. :-)
A signature can't be verified from an "Invalid key". My key is valid
and your software verified the signature on my message was valid and was
created by my key. All that's missing is that your key doesn't have a
"connection" to my key in the web of trust. So my key is untrusted, but
it is not invalid.
> Now, if I knew you were you, I could get rid of the
> Invalid key part of the Status and the Alert.
I've been preaching PGP for over a decade now but as you can see from my
key I've been using it for far less time and I've still not signed into
the web of trust anywhere nearly enough. :-)
> PS: I *suspect* you are you.
I'm almost me. :-)
My key's user-id doesn't quite match the address I post to this list
with. (I should someday re-subscribe to this list so that my From:
address can match my PGP key user-ID.)
(I used to have a single-board computer called "almost" plugged into the
backplane of a big server (to get power from it) called "most" :-)
- --
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
