* Ian G [EMAIL PROTECTED] wrote:
So, why not always sign messages to a list that permits
signatures?
It's hard to see the benefit, and it is easy to see the potential
cost. In a litiguous world, we are (slightly) better off not using
messages that are going to haunt us in years to come.
Ian G wrote:
Chris Palmer wrote:
Peter Saint-Andre writes:
http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13
3. I see on your site you use and advertise for CACert. I hope CACert's
signing cert(s) are never trusted by my browser, because then my browser
would trust any
Peter Saint-Andre writes:
http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13
1. Anonymity does matter. You might have heard of a little thing called
the First Amendment. ;) It's great that you're proud of what you say,
but no matter how proud you are, there could be bad, unfair
--
Victor Duchovni wrote:
My claim is that, while indeed it is easier to set the initial
barriers higher when you design with greater hindsight, and some of
the tractable, but not widely deployed email security measures will
be there in IM systems from the start, never the less IM systems
On Wed, Mar 01, 2006 at 06:15:36PM +0100, Ian G wrote:
Email is hard to get encrypted, but it didn't stop Skype from doing
encryped IMs easily.
Likewise I have secured email communications with my wife via a single
key exchange, so what? Skype has not easily created an interoperable
--- John W Noerenberg II [EMAIL PROTECTED] wrote:
Oh really? Then you should be able to send a note to my gmail
address.
So I have been reading this thread for the last couple days and the
above comment gives me a chance to voice something that really needs to
be said. Let's face it, a large
[EMAIL PROTECTED] wrote:
- Original Message -
From: Ben Laurie [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: NPR : E-Mail Encryption Rare in Everyday Use
Date: Thu, 02 Mar 2006 10:16:55 +
[EMAIL PROTECTED] wrote:
Alex Alten wrote:
At 05:12 PM 2/26/2006 +, Ben
More strongly, if we've never met, and you are not in the habit of
routinely signing email, thereby tying a key to your e-persona, it
makes no sense to speak of *secure* communication to *you*.
Regularly signing email is not necessarily a good idea. I like to be able
to repudiate most emails I
* Bill Stewart:
Or you could try using the Google Keyserver -
just because there isn't one
doesn't mean you can't type in 9E94 4513 3983 5F70
or 9383DE06 or [EMAIL PROTECTED] PGP Key
and see what's in Google's cache.
What a peculiar advice. We know for sure that Google logs these
At 05:58 AM 3/3/2006 +, Ben Laurie wrote:
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
Alex Alten wrote:
At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
Alex Alten wrote:
At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
Ed Gerck wrote: We have keyservers for this (my chosen
Hi,
Basically our customer required us to encrypt any team communications. So we
used PGP with email. I know the body of the email was encrypted, and I
believe attachments were too. The certs were used to automate the
decryption. Basically the PGP plugin would check the incoming mail's sender
At 03:13 AM 3/6/2006 +1300, Peter Gutmann wrote:
Basically our customer required us to encrypt any team communications. So we
used PGP with email. I know the body of the email was encrypted, and I
believe attachments were too. The certs were used to automate the
decryption. Basically the PGP
Alex Alten [EMAIL PROTECTED] writes:
At 03:13 AM 3/6/2006 +1300, Peter Gutmann wrote:
Basically our customer required us to encrypt any team communications. So we
used PGP with email. I know the body of the email was encrypted, and I
believe attachments were too. The certs were used to
Alex Alten wrote:
At 05:58 AM 3/3/2006 +, Ben Laurie wrote:
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
Alex Alten wrote:
At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
Alex Alten wrote:
At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
Ed Gerck wrote: We have keyservers for
Victor Duchovni wrote:
On Wed, Mar 01, 2006 at 06:15:36PM +0100, Ian G wrote:
Email is hard to get encrypted, but it didn't stop Skype from doing
encryped IMs easily.
Likewise I have secured email communications with my wife via a single
key exchange, so what? Skype has not easily created
Anton Stiglic wrote:
More strongly, if we've never met, and you are not in the habit of
routinely signing email, thereby tying a key to your e-persona, it
makes no sense to speak of *secure* communication to *you*.
Regularly signing email is not necessarily a good idea. I like to be able
On Wed, Mar 08, 2006 at 12:53:16PM -0700, Peter Saint-Andre wrote:
These are closed systems that compete with each other, once
they become federated, they can no longer compete on end-to-end
security, because that is a property of the interoperability
framework, not the individual
Victor Duchovni wrote:
On Wed, Mar 08, 2006 at 12:53:16PM -0700, Peter Saint-Andre wrote:
These are closed systems that compete with each other, once
they become federated, they can no longer compete on end-to-end
security, because that is a property of the interoperability
framework, not
On Wed, Mar 08, 2006 at 01:55:16PM -0700, Peter Saint-Andre wrote:
I never made the strong claim that the federated Jabber network is or
always will remain spam free, only the weaker claim that its abuse and
identity problems are and will remain less serious than those of the
federated email
On Sun, Feb 26, 2006 at 01:42:56PM -0800, Trevor Perrin wrote:
Perhaps this is further support for Iang's contention that we should
expect newer, interactive protocols (IM, Skype, etc.) to take the lead
in communication security. Email-style message encryption may simply
be a much harder
At 5:58 PM -0800 2/24/06, Ed Gerck wrote:
A phone number is not an envelope -- it's routing information, just like
an email address. Publishing the email address is not in question and
there are alternative ways to find it out, such as search engines.
Oh really? Then you should be able to
John W Noerenberg II wrote:
At 5:58 PM -0800 2/24/06, Ed Gerck wrote:
A phone number is not an envelope -- it's routing information, just
like
an email address. Publishing the email address is not in question and
there are alternative ways to find it out, such as search engines.
Oh really?
Ben Laurie [EMAIL PROTECTED] writes:
Florian Weimer wrote:
I couldn't find a PGP key server operator that committed itself to
keeping logs confidential and deleting them in a timely manner (but I
didn't look very hard, either). Of course, since PGP hasn't
progressed as faster as our
At 04:52 PM 2/26/2006, Ben Laurie wrote:
Don't forget that the ability to decrypt is just as good as a signature
to prove association of the key.
All it needs is for one successful trojan that steals your private
key/passphrase and plausible deniability is available again. :)
Does anybody
Somebody, probably Florian, wrote:
I couldn't find a PGP key server operator that committed itself to
keeping logs confidential and deleting them in a timely manner (but I
didn't look very hard, either).
Keyservers are a peripheral issue in PGP -
important for convenience and for quick
* Ed Gerck [EMAIL PROTECTED] [2006-02-25 13:11 -0800]:
Finally, the properties of MY public-key will directly affect the
confidentiality
properties of YOUR envelope. For example, if (on purpose or by force) my
public-key
enables a covert channel (eg, weak key, key escrow, shared private
On Sat, Feb 25, 2006 at 07:33:38PM +0100, Ian G wrote:
areas. The fact is that SSH came in with a solution
and beat the other guy - Telnet secured over SSL. It
wasn't the crypto that did this, it was the key management,
plain and simple.
Very few people I knew at the time moved to SSH
Ed Gerck wrote:
Ben Laurie wrote:
I totally don't buy this distinction - in order to write to you with
postal mail, I first have to ask you for your address.
We all agree that having to use name and address are NOT the problem,
for email or postal mail. Both can also deliver a letter just
At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
Alex Alten wrote:
At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
Ed Gerck wrote: We have keyservers for this (my chosen technology
was PGP). If you liken their use to looking up an address in an
address book, this isn't hard for users to grasp.
Alex Alten [EMAIL PROTECTED] writes:
What I really hated about it was that when [EMAIL PROTECTED] sent me an email
often I couldn't decrypt it. Why? Because his firm's email server decided
to put in the FROM field [EMAIL PROTECTED]. Since it didn't match
the email name in his X.509
Florian Weimer wrote:
* Ben Laurie:
I don't use PGP - for email encryption I use enigmail, and getting
missing keys is as hard as pressing the get missing keys button.
A step which has really profound privacy implications.
I couldn't find a PGP key server operator that committed itself
Alex Alten wrote:
At 05:12 PM 2/26/2006 +, Ben Laurie wrote:
Alex Alten wrote:
At 02:59 PM 2/24/2006 +, Ben Laurie wrote:
Ed Gerck wrote: We have keyservers for this (my chosen
technology was PGP). If you liken their use to looking up an
address in an address book, this isn't hard
On Sat, Feb 25, 2006 at 07:33:38PM +0100, Ian G wrote:
Hence, IM/chat, Skype, TLS experiments at Jabber, as
well as the OpenPGP attempts.
There are important lessons to be learnt in the rise of
IM over email.
Likewise the rise of the telephone over paper mail, but the phone does
not
bear wrote:
On Fri, 24 Feb 2006, Peter Saint-Andre wrote:
Personally I doubt that anything other than a small percentage of email
will ever be signed, let alone encrypted (heck, most people on this list
don't even sign their mail).
I don't think I've said anything here that I will
I have to chime in on a number of points. I'll try to keep commercial
plugs to a minimum.
* An awful lot of this discussion is some combination of outdated and
true but irrelevant. For example, it is true that usability of all
computers is not what it could be. But a lot of what has
On 2006-02-24, Peter Saint-Andre wrote:
Personally I doubt that anything other than a small percentage of email
will ever be signed, let alone encrypted (heck, most people on this list
don't even sign their mail).
That's at least partly because too many mailing lists either
reject signed
From: Peter Saint-Andre [EMAIL PROTECTED]
Sent: Feb 24, 2006 3:18 PM
Subject: Re: NPR : E-Mail Encryption Rare in Everyday Use
...
We could just as well say that encryption of remote server sessions is
rare in everyday use. It's just that only geeks even do remote server
sessions, so they use SSH
While there is merit in arguing how to simplify the mechanics of
using public key encryption for sending and receiving email, I cannot
agree with this assertion:
At 10:44 AM -0800 2/24/06, Ed Gerck wrote:
My $0.02: If we want to make email encryption viable (ie, user-level viable)
then we
At 06:09 PM 2/24/2006 +0100, Ian G wrote:
Steven M. Bellovin wrote:
Certainly, usability is an issue. It hasn't been solved because there's
no market for it here; far too few people care about email encryption.
Usability is the issue. If I look over onto
my skype window, it says there are
Peter Saint-Andre wrote:
Ian G wrote:
To get people to do something they will say no
to, we have to give them a freebie, and tie it
to the unpleasantry. E.g., in SSH, we get a better
telnet, and there is only the encrypted version.
We could just as well say that encryption of remote
Ed Gerck wrote:
Ben Laurie wrote:
Really? I just write Ed Gerck on an envelope and it gets to you? I
doubt it. Presumably I have to do all sorts of hard and user-unfriendly
things to find out and verify your address.
Perhaps I wasn't clear -- with postal mail you just write my name and
Peter Saint-Andre wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ian G wrote:
To get people to do something they will say no
to, we have to give them a freebie, and tie it
to the unpleasantry. E.g., in SSH, we get a better
telnet, and there is only the encrypted version.
We could
Ben Laurie wrote:
I totally don't buy this distinction - in order to write to you with
postal mail, I first have to ask you for your address.
We all agree that having to use name and address are NOT the problem,
for email or postal mail. Both can also deliver a letter just with
the address
Victor Duchovni wrote:
On Fri, Feb 24, 2006 at 01:44:14PM +, Ben Laurie wrote:
Ed Gerck wrote:
Paul,
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
And what I heard in the story is that even savvy users
Paul,
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.
BTW, just to show that
At 4:31 PM -0800 2/23/06, Ed Gerck wrote:
Usability should by now be recognized as the key issue for security -
Fully agree.
namely, if users can't use it, it doesn't actually work.
We disagree on the meaning of the phrase actually work.
And what I heard in the story is that even savvy
Ed Gerck wrote:
Paul,
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.
Hi,
And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it often.
Phil *does* have a problem with key management. He knows how to do
it, but his communications partners are not as good as he is.
Phil Z doesn´t know how
Ben Laurie wrote:
Ed Gerck wrote:
Paul,
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key management) don't use it
Ed Gerck wrote:
Ben Laurie wrote:
Ed Gerck wrote:
Paul,
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
And what I heard in the story is that even savvy users such as Phil Z
(who'd have no problem with key
In message [EMAIL PROTECTED], Ed Gerck writes:
This IS one of the sticky points ;-) If postal mail would work this way,
you'd have to ask me to send you an envelope before you can send me mail.
This is counter-intuitive to users.
I assumed that that was your point, which is why I figured you
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
% man gpg | wc -l
1705
% man gpg | grep dry
-n, --dry-run Don't make any changes (this is not completely implemented).
I rest my case.
--dan
This story (in addition to the daily headlines) seems to make the case that
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.
http://www.npr.org/templates/story/story.php?storyId=5227744
Cheers,
Ed Gerck
At 1:56 PM -0800 2/23/06, Ed Gerck wrote:
This story (in addition to the daily headlines) seems to make the case that
the available techniques for secure email (hushmail, outlook/pki and pgp) do
NOT actually work.
That's an incorrect assessment of the short piece. The story says
that it does
54 matches
Mail list logo