On 16 December 2011 18:50, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
On 12/16/2011 10:51 AM, gn...@lists.grepular.com wrote:
I understand that once you've uploaded something to the keyservers, it
can't be removed. Eg, if I sign someone elses key and upload that, it
will be attached to
On Monday 19 of December 2011 10:36:33 Jerome Baum wrote:
On 2011-12-19 10:31, Jerome Baum wrote:
My understanding is that name + DoB + place of birth together are
unique. Sometimes. In theory.
Oh but that doesn't mean we should all add our DoB to our UIDs now.
Remember that your DoB is
On 20-12-2011 16:49, Hubert Kario wrote:
Yeah, the kind of protections banks use is funny. But then, what can they
do
when people forget their passwords 5 minutes after they set them or use the
same password on facebook and their bank...
They could use the same system that all banks
On Tuesday 20 of December 2011 17:34:24 Johan Wevers wrote:
On 20-12-2011 16:49, Hubert Kario wrote:
Yeah, the kind of protections banks use is funny. But then, what can
they do when people forget their passwords 5 minutes after they set them
or use the same password on facebook and their
On 2011-12-18 23:40, MFPA wrote:
So are
certification policies that say (or don't say but
enforce anyway) that you must have an email on your
UID. Why refuse to certify _less_ information?
Why indeed. My government won't issue a passport that doesn't include
my date of birth. These days I
On 2011-12-19 10:31, Jerome Baum wrote:
My understanding is that name + DoB + place of birth together are
unique. Sometimes. In theory.
Oh but that doesn't mean we should all add our DoB to our UIDs now.
Remember that your DoB is actually secret and only your credit card
company is meant to
On Sat, 17 Dec 2011 17:15, expires2...@ymail.com said:
A key's UIDs don't *have to* contain email addresses. But in the case
where they do, a verification email would be a useful addition. But
An interesting way to spam key owners. Not a big deal, it is easy to
add a procmail rule to send
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 4:58:28 PM, in
mid:4eecca34.9050...@jeromebaum.com, Jerome Baum wrote:
On 2011-12-17 17:04, MFPA wrote:
On Saturday 17 December 2011 at 3:25:56 PM, in
mid:4eecb484.6080...@jeromebaum.com, Jerome Baum wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Sunday 18 December 2011 at 12:06:22 PM, in
mid:87iple6q4h@vigenere.g10code.de, Werner Koch wrote:
An interesting way to spam key owners. Not a big deal,
it is easy to add a procmail rule to send them to the
bit bucket.
I'd not
On 16/12/11 19:07, ved...@nym.hush.com wrote:
What if keyservers were to limit the amount of keys generated or
uploaded to a 'reasonable' amount which no 'real' user would
exceed?
(i.e. 10/day, or some other number discussed and agreed upon by the
various keyservers?)
You could still
On 17/12/11 02:45, Jerome Baum wrote:
What if keyservers were to limit the amount of keys generated or
uploaded to a 'reasonable' amount which no 'real' user would
exceed?
(i.e. 10/day, or some other number discussed and agreed upon by the
various keyservers?)
What problem are we
On 2011-12-17 14:23, gn...@lists.grepular.com wrote:
I find it strange that the keyservers don't do any sort of email
validation before accepting key submissions and that they just allow
anyone to upload signatures for your key without verifying if you want
to allow them first.
What about
On 2011-12-17 14:29, gn...@lists.grepular.com wrote:
The system can be easily abused, therefore it will be abused. It's just
a matter of time. How much time, depends on if/when PGP becomes more
popular. It doesn't strike me as unreasonable to want to put defences in
place before an attack
On 17/12/11 13:40, Jerome Baum wrote:
The system can be easily abused, therefore it will be abused. It's just
a matter of time. How much time, depends on if/when PGP becomes more
popular. It doesn't strike me as unreasonable to want to put defences in
place before an attack begins.
Just
On 17/12/11 14:23, gn...@lists.grepular.com wrote:
I find it strange that the keyservers don't do any sort of email
validation before accepting key submissions and that they just allow
anyone to upload signatures for your key without verifying if you want
to allow them first.
The key property
On 17/12/11 14:58, gn...@lists.grepular.com wrote:
It would only take one troll.
Yet, so far so good (in general). And the infrastructure has existed for quite
some years already.
OpenPGP might never become popular enough to attract childish people to the
keyserver network :). I certainly hope
On 2011-12-17 14:54, gn...@lists.grepular.com wrote:
What about keys without an email in the UID?
For the first issue regarding uploading keys, you wouldn't be able to do
email validation on a key that doesn't have an email address in the UID.
At the same time, for those keys, you wouldn't
On 2011-12-17 14:58, gn...@lists.grepular.com wrote:
So you agree that there is a point where putting security measures in
place is a good idea. Where you disagree with me, is you think it is
unlikely that the keyservers will be abused in this manner in the near
future.
I guess neither of
On 17/12/11 13:33, Jerome Baum wrote:
I find it strange that the keyservers don't do any sort of email
validation before accepting key submissions and that they just allow
anyone to upload signatures for your key without verifying if you want
to allow them first.
What about keys without an
I have uploaded my key to a keyserver at pgp.com: upload a key to their
keyserver requires a verification by e-mail. Every id (e-mailaddress) in
your key receives an e-mail. Respond to one of those e-mails (clicking
link) to verify you issued the key replacement. But when (one of) your
e-mail
On Dec 17, 2011, at 8:23 AM, gn...@lists.grepular.com wrote:
On 16/12/11 19:07, ved...@nym.hush.com wrote:
What if keyservers were to limit the amount of keys generated or
uploaded to a 'reasonable' amount which no 'real' user would
exceed?
(i.e. 10/day, or some other number discussed
On 2011-12-17 16:17, David Shaw wrote:
It's an interesting server, with different semantics than the
traditional keyserver net that we were talking about earlier. Most
significantly, it emails the keyholder (at the address on the key)
before accepting the key into the server. It also signs
On Fri, Dec 16, 2011 at 03:51:34PM +, gn...@lists.grepular.com wrote:
I understand that once you've uploaded something to the keyservers, it
can't be removed. Eg, if I sign someone elses key and upload that, it
will be attached to their key permanently?
What if someone were to generate
On Dec 17, 2011, at 10:25 AM, Jerome Baum wrote:
On 2011-12-17 16:17, David Shaw wrote:
It's an interesting server, with different semantics than the
traditional keyserver net that we were talking about earlier. Most
significantly, it emails the keyholder (at the address on the key)
before
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 3:25:56 PM, in
mid:4eecb484.6080...@jeromebaum.com, Jerome Baum wrote:
I doubt the validity of those automated checks and
checks on the email anyway. What constitutes owning
f...@example.com?
As far as that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 1:23:18 PM, in
mid:4eec97c6.5040...@lists.grepular.com, gn...@lists.grepular.com
wrote:
I find it strange that the keyservers don't do any sort
of email validation before accepting key submissions
A key's
On 2011-12-17 16:42, Aaron Toponce wrote:
I guess Anonymous or LULZ Security, or the like, could do it out of sheer
entertainment, but it would die quickly, as the effort in maintaining the
noise outweighs the benefit of annoying users by several orders of
magnitude.
I think the point was
On 2011-12-17 17:15, MFPA wrote:
Since you don't log into a keyserver when you post, and keyservers
store data but do not perform cryptographic functions, this is pretty
much inevitable. The keyserver-no-modify flag could, in theory,
carry with it a requirement that modifications to a key were
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 16 December 2011 at 5:50:53 PM, in
mid:4eeb84fd.9020...@fifthhorseman.net, Daniel Kahn Gillmor wrote:
well, there's the JBARSE key, which i vaguely recall
having been created in a joking way to threaten
character assassination,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 17 December 2011 at 4:34:23 PM, in
mid:4eecc48f.1080...@jeromebaum.com, Jerome Baum wrote:
On 2011-12-17 16:42, Aaron Toponce wrote:
I guess Anonymous or LULZ Security, or the like, could do it out of sheer
entertainment, but
On 2011-12-17 17:04, MFPA wrote:
On Saturday 17 December 2011 at 3:25:56 PM, in
mid:4eecb484.6080...@jeromebaum.com, Jerome Baum wrote:
I doubt the validity of those automated checks and
checks on the email anyway. What constitutes owning
f...@example.com?
As far as that server's checking
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 16 December 2011 at 3:51:34 PM, in
mid:4eeb6906.8060...@lists.grepular.com, gn...@lists.grepular.com
wrote:
I understand that once you've uploaded something to the
keyservers, it can't be removed. Eg, if I sign someone
elses key
On 12/16/2011 10:51 AM, gn...@lists.grepular.com wrote:
I understand that once you've uploaded something to the keyservers, it
can't be removed. Eg, if I sign someone elses key and upload that, it
will be attached to their key permanently?
yes, this is correct. :(
What if someone were to
On Dec 16, 2011, at 10:51 AM, gn...@lists.grepular.com wrote:
I understand that once you've uploaded something to the keyservers, it
can't be removed. Eg, if I sign someone elses key and upload that, it
will be attached to their key permanently?
Essentially, yes. Things are theoretically
On 16-12-2011 16:51, gn...@lists.grepular.com wrote:
I understand that once you've uploaded something to the keyservers, it
can't be removed. Eg, if I sign someone elses key and upload that, it
will be attached to their key permanently?
Yes. Of course, you can remove it locally.
What if
What if keyservers were to limit the amount of keys generated or
uploaded to a 'reasonable' amount which no 'real' user would
exceed?
(i.e. 10/day, or some other number discussed and agreed upon by the
various keyservers?)
vedaal
___
Gnupg-users
On 2011-12-16 20:07, ved...@nym.hush.com wrote:
What if keyservers were to limit the amount of keys generated or
uploaded to a 'reasonable' amount which no 'real' user would
exceed?
(i.e. 10/day, or some other number discussed and agreed upon by the
various keyservers?)
What problem are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, 12 Jun 2010 07:58:19 -0500
Sonja Michelle Lina Thomas sonjamiche...@gmail.com articulated:
I would not trust Google with your data, far less mine. They have
all ready been accused of illegally pilfering through user data and
mining for
Interestingly enough, the first email I read this morning had a link to
this:
http://tech.slashdot.org/story/10/06/12/2339209/Google-Tells-Congress-It-Disclosed-Wi-Fi-Sniffing
And that is just the tip of the ice burg.
--
Jerry
OMG!! Google is stealing and archiving pictures of my dopey
MFPA wrote:
The Spamhaus PBL might very well list you.
76.185.38.113 is listed in the PBL
Mailservers using this blocklist would probably block mail from
you.
Of course, even Spamhaus's own website says the PBL is not a
blacklist and that you can remove your IP address from their list
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, 12 Jun 2010 06:22:47 -0500
Sonja Michelle Lina Thomas sonjamiche...@gmail.com articulated:
I use gmail for my SMTP needs. I have accounts on a couple of unix
machines, yahoo, gmail, aim, my business hosted via godaddy and I
choose gmail
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I would not trust Google with your data, far less mine. They have all
ready been accused of illegally pilfering through user data and mining
for user wireless information. I avoid them like the plague whenever
possible.
Pffft, they can't get to
On Sat, 12 Jun 2010 08:39:00 -0400
Jean-David Beyer jeandav...@verizon.net articulated:
Yes, I did. They will not accept anything from my MTA even when I use
the smarthost feature. I can use either their web site server (that I
detest) or Firefox, but they will not allow sendmail even with
Jerry wrote:
On Sat, 12 Jun 2010 06:22:47 -0500
Sonja Michelle Lina Thomas sonjamiche...@gmail.com articulated:
I use gmail for my SMTP needs. I have accounts on a couple of unix
machines, yahoo, gmail, aim, my business hosted via godaddy and I
choose gmail as the default SMTP server for all
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Saturday 12 June 2010 at 12:37:08 PM, in
mid:20100612073708.6e27e...@scorpio, Jerry wrote:
I would not trust Google with your data, far less mine.
The problem is that you never know if your contact will forward things
to a google
On Fri, 11 Jun 2010 02:16, expires2...@ymail.com said:
delete them if they don't. Or one message to everybody with a
customised subject line for each. Alternatively, those of us who are
That is a good idea. I was thinking of bisecting the mailing list to
make sure that test mails receive the
On Fri, 11 Jun 2010 09:15:56 +0200
Werner Koch w...@gnupg.org articulated:
On Fri, 11 Jun 2010 02:16, expires2...@ymail.com said:
delete them if they don't. Or one message to everybody with a
customised subject line for each. Alternatively, those of us who are
That is a good idea. I
On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote:
You do not sacrifice legitimate incoming mail because there is an RFC that
clearly states mailservers do not operate from dynamic IP addresses.
Therefore
they can not be considered valid.
If there is such an RFC, it's rubbish; I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 4:39:46 PM, in
mid:201006101739.46469.mailinglis...@hauke-laging.de, Hauke Laging
wrote:
But that is the wrong argument. The correct argument is
about the key server share of spam in a world in which
nearly
Mark H. Wood wrote:
On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote:
You do not sacrifice legitimate incoming mail because there is an RFC that
clearly states mailservers do not operate from dynamic IP addresses.
Therefore
they can not be considered valid.
If there is such
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 4:53:43 PM, in
mid:87bpbivq7s@servo.finestructure.net, Jameson Rollins wrote:
On Thu, 10 Jun 2010 11:32:05 -0400, Daniel Kahn Gillmor
d...@fifthhorseman.net wrote:
And i should probably add that it is indeed
On Fri, 11 Jun 2010 11:18:05 -0500
John Clizbe j...@mozilla-enigmail.org articulated:
Mark H. Wood wrote:
On Thu, Jun 10, 2010 at 05:57:50PM +0200, Joke de Buhr wrote:
You do not sacrifice legitimate incoming mail because there is an
RFC that clearly states mailservers do not operate from
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 11 June 2010 at 8:00:09 PM, in
mid:20100611150009.2719a...@scorpio, Jerry wrote:
On Fri, 11 Jun 2010 11:18:05 -0500 John Clizbe
j...@mozilla-enigmail.org articulated:
Mark H. Wood wrote: On Thu, Jun 10, 2010 at
05:57:50PM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 11 June 2010 at 2:34:44 PM, in
mid:20100611133444.gc2...@iupui.edu, Mark H. Wood wrote:
If there is such an RFC, it's rubbish;
I think there is no such RFC, just an assertion from a messaging
industry lobbying group that it's the
I've never gotten any keyserver related spam so far and my public keys with a
valid mail address were published year ago.
I think it's more likely you will get spam because you are posting to a
mailing list which does have a html archive (liks this one).
If you want to get rid of most spam,
On Thursday 10 June 2010 16:00:18 David Shaw wrote:
Hi everyone,
Periodically there is a discussion on this list about whether having your
key on a keyserver will result in more spam. My feeling on this is that
you might get more spam, but it's a drop in the bucket compared to the
usual
I never said this particular spam message was not caused by someone scanning
the keyserver. I only stated it isn't that common and never happened to me.
The chance someone harvesting your email address through keyserver scanning is
less common than harvesting archives of mailing lists.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 3:35:34 PM, in
mid:201006101635.36328.j...@seiken.de, Joke de Buhr wrote:
I've never gotten any keyserver related spam so far and
my public keys with a valid mail address were published
year ago.
In order to
Hi Joke--
On 06/10/2010 11:22 AM, Joke de Buhr wrote:
I never said this particular spam message was not caused by someone scanning
the keyserver. I only stated it isn't that common and never happened to me.
The chance someone harvesting your email address through keyserver scanning
is
Am Donnerstag 10 Juni 2010 16:00:18 schrieb David Shaw:
Periodically there is a discussion on this list about whether having your
key on a keyserver will result in more spam. My feeling on this is that
you might get more spam, but it's a drop in the bucket compared to the
usual onslaught
On Thursday 10 June 2010 17:29:18 MFPA wrote:
Hi
On Thursday 10 June 2010 at 3:35:34 PM, in
mid:201006101635.36328.j...@seiken.de, Joke de Buhr wrote:
I've never gotten any keyserver related spam so far and
my public keys with a valid mail address were published
year ago.
In
On Thu, 10 Jun 2010 11:32:05 -0400, Daniel Kahn Gillmor
d...@fifthhorseman.net wrote:
And i should probably add that it is indeed an infinitesimal drop in the
bucket compared to the other spam i receive; i'm not concerned about it.
Not to mention that the bother of a couple of extra spams is
On 06/10/2010 11:57 AM, Joke de Buhr wrote:
You do not sacrifice legitimate incoming mail because there is an RFC that
clearly states mailservers do not operate from dynamic IP addresses.
Therefore
they can not be considered valid.
Please cite this RFC. All IP addresses are dynamic in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 4:57:50 PM, in
mid:201006101757.53020.j...@seiken.de, Joke de Buhr wrote:
One of the addresses of my key is totally unprotected
against spam. Nothing is blocked or scanned there. And
it doesn't get any spam at
Speaking of spam, I'm getting more spam from some sort of automated
ticketing system that seems to be subscribed to this list that I ever
have from a keyserver. The mail seems to come from:
secure.mpcustomer.com
and it often sets the From: to be from someone else. This is totally
uncool. Is
Am Donnerstag 10 Juni 2010 18:39:25 schrieb Jameson Rollins:
Speaking of spam, I'm getting more spam from some sort of automated
ticketing system that seems to be subscribed to this list that I ever
have from a keyserver. The mail seems to come from:
secure.mpcustomer.com
and it often
On -10/01/37 20:59, Joke de Buhr wrote:
You do not sacrifice legitimate incoming mail because there is an RFC that
clearly states mailservers do not operate from dynamic IP addresses.
Therefore
they can not be considered valid.
Which RFC would this be?
I could not find the word dynamic in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 10 June 2010 at 6:04:37 PM, in
mid:201006101904.37296.mailinglis...@hauke-laging.de, Hauke Laging
wrote:
Am Donnerstag 10 Juni 2010 18:39:25 schrieb Jameson
Rollins:
Speaking of spam, I'm getting more spam from some sort of
On 6/10/2010 8:16 PM, MFPA wrote:
Whenever I post to this list these days I get one of their
auto-replies, and they always spoof the from address to whatever I had
in the to field of my message to the list.
[lots of discussion deleted]
I think it's safe to say the list moderators are now well
69 matches
Mail list logo
