On Fri, Aug 01, 2003, Dan Armak wrote about "Keysigning issues": > 2. For some reason, noone seems to use the option of adding a photo to their > gpg key. (Except for me that is :-) Why is that? Photos, printed out along > with fingerprints on the list Muli handed out today, would make paper ID- > based authentication much more reasonable and a solution to (1) far less > necessary. Especially since we all know what photos in ID cards are like. > Photos in GPG keys can be more easily kept uptodate and similar to our actual > appearences. (At least for people with digital cameras...)
Have you seen the smile on people's faces during the key signing, when you see people with 10 year old pictures in their teudat zehut, removed or new beard, and things like that? :) Maybe that's why people don't like to stick their pictures in their ID if they can help it. > 3. And finally the biggest problem: people, use your keys! :-) Why do so few > people routinely sign their outgoing mail? (Few compared even to how many > participants there were in the keysigning party today.) > Your key is half-useless if you don't sign everything you do. This is wrong, I think. Compare this to real life - do you autograph every piece of paper you ever write on? Of course you don't. In fact, when someone asks you to sign on something you wrote, you hesitate. You ask yourself - is it really necessary that I provide the other guy a legal means to prove I really wrote on this paper? Similarly with digital signatures. I sometimes write silly emails like this one. I know that people already associate these silly things with me, but do I really need to provide them with a way to leagally *prove* that I wrote these things? why?? > You can still > prove that every signed message comes from you, but you can't prove that some > random unsigned message doesn't. Someone can still pretend to be you, or > intercept and change your mails. Right. And for most people, this isn't a problem. The same is true for paper and ink too - someone could pop up a piece of paper allegedly written by you, unsigned, and say you wrote it and like usual you didn't sign it... I, for example, only sign messages and files that I want others to be certain really came from me. For example, my free software packages (e.g., hspell) are signed by my key, so that people on this list don't have to risk downloading trojan versions of my packages. For certain kind of things, like software packages and credit-card slips, people *expect* them to be signed, and are suspicious if they see an unsigned one. This is how it should work, not "sign everything you ever write". -- Nadav Har'El | Saturday, Aug 2 2003, 5 Av 5763 [EMAIL PROTECTED] |----------------------------------------- Phone: +972-53-245868, ICQ 13349191 |War doesn't determine who's right but http://nadav.harel.org.il |who's left. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
