On Sep 11, 2013, at 2:45 AM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 10, 2013, at 6:50 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
Could be but I have been working through what we know versus what would be
required and I really can't see how a group of people who would let Snowden
Hi Yoav,
At 03:28 11-09-2013, Yoav Nir wrote:
I don't think you'd even need the threats.
[snip]
Notice the important parts of that pitch. A sense of danger; Making
the target feel either patriotic or a humanitarian; Sharing a
secret with the target, making him part of the inner circle.
On Wed, Sep 11, 2013 at 11:41 AM, SM s...@resistor.net wrote:
Hi Yoav,
At 03:28 11-09-2013, Yoav Nir wrote:
I don't think you'd even need the threats.
[snip]
Notice the important parts of that pitch. A sense of danger; Making the
target feel either patriotic or a humanitarian; Sharing
On 10 Sep 2013, at 3:53, John R Levine jo...@taugh.com wrote:
Typical S/MIME keys are issued by CAs that verify them by
sending you mail with a link. While it is easy to imagine ways that
could be subverted, in practice I've never seen it.
The most obvious way that it can be subverted is
Original Message -
From: Richard Barnes r...@ipv.sx
To: Peter Saint-Andre stpe...@stpeter.im
Cc: ietf@ietf.org
Sent: Monday, September 09, 2013 6:14 PM
It also makes it obvious to everyone that Peter is using PGP. Which
serves
a pedagogical function, I guess. :)
It also means I can
Subject: Re: not really pgp signing in van Date: Tue, Sep 10, 2013 at
01:07:19AM - Quoting John Levine (jo...@taugh.com):
The MUAs I use (Thunderbird, Alpine, Evolution) support S/MIME a lot
better than they support PGP. There's typically a one key command or
a button to turn signing
On Sep 10, 2013, at 4:41 AM, t.p. daedu...@btconnect.com wrote:
for reasons of
security, of course; html has far too many attack vectors to allow it to
be processed in e-mail
If that's true, why is it safe for you to use HTML in a web browser? Is it
because you feel that the HTTP trust
- Original Message -
From: Ted Lemon ted.le...@nominum.com
To: t.p. daedu...@btconnect.com
Cc: Richard Barnes r...@ipv.sx; Peter Saint-Andre
stpe...@stpeter.im; ietf@ietf.org
Sent: Tuesday, September 10, 2013 2:03 PM
On Sep 10, 2013, at 4:41 AM, t.p. daedu...@btconnect.com wrote:
for
On Mon, Sep 9, 2013 at 9:41 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 9, 2013, at 9:26 PM, John R Levine jo...@taugh.com wrote:
Um, didn't this start out as a discussion about how we should try to get
people using crypto, rather than demanding perfection that will never
happen?
On Sep 10, 2013, at 12:32 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
The CA NEVER ever gives the user the key in any of the systems I have worked
on.
This appears to be untrue.
Comodo offers that exact service today.
https://secure.comodo.com/products/!SecureEmailCertificate_Signup
On Tue, Sep 10, 2013 at 1:18 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 10, 2013, at 12:32 PM, Phillip Hallam-Baker hal...@gmail.com
wrote:
The CA NEVER ever gives the user the key in any of the systems I have
worked on.
This appears to be untrue.
Comodo offers that exact
On Tue, Sep 10, 2013 at 05:47:55PM -0400, John R Levine wrote:
I think we're entering the tinfoil zone here. Comodo is one of the
largest CAs around, with their entire income depending on people
paying them to sign web and code certs because they are seen as
trustworthy.
You might want to
perhaps you remember the Comodo CA fraud problem?
http://arstechnica.com/security/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question/
/bill
On 10September2013Tuesday, at 14:47, John R Levine wrote:
You go to a Web page that has the HTML or Javascript control for generating
On 10 September 2013 11:36, Ted Lemon ted.le...@nominum.com wrote:
So I run Javascript provided by Comodo to generate the key pair. This means
that my security depends on my willingness and ability to read possibly
obfuscated Javascript to make sure that it only uploads the public half of
On Tue, Sep 10, 2013 at 6:06 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 10, 2013, at 5:47 PM, John R Levine jo...@taugh.com wrote:
How likely is it that they would risk their reputation and hence their
entire business by screwing around with free promo S/MIME certs?
I don't know.
On Tue, Sep 10, 2013 at 2:36 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 10, 2013, at 2:19 PM, Phillip Hallam-Baker hal...@gmail.com
wrote:
You go to a Web page that has the HTML or Javascript control for
generating a keypair. But the keypair is generated on the end user's
computer.
On Mon, 9 Sep 2013, Fernando Gont wrote:
It might be worth thinking about why ssh and ssl work so well, and
PGP/GPG don't.
Just a quick guess: SSL works automagically, PGP doesn't. So even if the
user doesn't care, SSL is there. PGP, OTOH, usually requires explicit
installation of a plug in
On Sep 10, 2013, at 2:19 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
You go to a Web page that has the HTML or Javascript control for generating a
keypair. But the keypair is generated on the end user's computer.
So I run Javascript provided by Comodo to generate the key pair. This
On Sep 10, 2013, at 5:47 PM, John R Levine jo...@taugh.com wrote:
How likely is it that they would risk their reputation and hence their entire
business by screwing around with free promo S/MIME certs?
I don't know. What happens if they are served with an NSL? I certainly
don't think
On Sep 10, 2013, at 6:50 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
Could be but I have been working through what we know versus what would be
required and I really can't see how a group of people who would let Snowden
loose on their innermost secrets would be able to keep a conspiracy
You go to a Web page that has the HTML or Javascript control for generating a
keypair. But the keypair is generated on the end user's computer.
So I run Javascript provided by Comodo to generate the key pair. This means
that my security depends on my willingness and ability to read possibly
Subject: RE: pgp signing in van Date: Mon, Sep 09, 2013 at 05:28:55AM +0100
Quoting l.w...@surrey.ac.uk (l.w...@surrey.ac.uk):
There is no upside.
By signing your mail you lose plausible deniability, remove legal doubt as to
what you said...
Thinking twice about what to state has some
hi Hector, Peter, all,
On 9 Sep 2013, at 1:09, Hector Santos hsan...@isdg.net wrote:
On 9/8/2013 6:21 PM, Peter Saint-Andre wrote:
On 9/8/13 3:50 PM, Ted Lemon wrote:
What's the upside to signing my email? I know why I want
everybody I know to sign my email, but what's the upside for
On Sun, Sep 08, 2013 at 03:13:39PM -0400, John C Klensin wrote:
On the CA side, one of the things I think is needed is a rating
system (or collection of them on a pick the rating service you
trust basis) for CAs, with an obvious extension to PGP-ish key
signers. In itself, that isn't a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/8/13 10:28 PM, l.w...@surrey.ac.uk wrote:
There is no upside.
By signing your mail you lose plausible deniability, remove legal
doubt as to what you said...
Why do you think that cryptographic doubt = legal doubt? I've heard
that claim many
Ted Lemon ted.le...@nominum.com wrote:
On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca
To all the people who posted to this thread about how they don't know
what a PGP key signature means, and who did not PGP or S/MIME their
email:
What's the upside
Why do you think that cryptographic doubt = legal doubt? I've heard
that claim many times, but I've never heard an argument for it.
Having attempted to explain technology in court as an expert witness,
I find the assertion risible.
R's,
John
On Sep 9, 2013, at 1:31 AM, Brian Trammell tramm...@tik.ee.ethz.ch wrote:
I must say at least that GPGMail (on the Mac) has gotten _much_ better in the
intervening decade.
+1
So far, it just works, and pretty much transparently. I've made my donation.
Regards,
-drc
signature.asc
On Sep 9, 2013, at 8:43 AM, Michael Richardson mcr+i...@sandelman.ca wrote:
What's the upside to signing my email? I know why I want everybody I
know to sign my email, but what's the upside for me if I do it? Until
there's a clear win, it's not going to happen.
It's what establishes the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/9/13 11:02 AM, Cyrus Daboo wrote:
Hi Peter,
--On September 8, 2013 at 5:19:51 PM -0600 Peter Saint-Andre
stpe...@stpeter.im wrote:
But until the MUAs across the board support it out of the box,
I believe most people don't know about it
It also makes it obvious to everyone that Peter is using PGP. Which serves
a pedagogical function, I guess. :)
On Mon, Sep 9, 2013 at 1:12 PM, Peter Saint-Andre stpe...@stpeter.imwrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/9/13 11:02 AM, Cyrus Daboo wrote:
Hi Peter,
If anyone advise me on using gmail and PGP/GPG (unicast, don't spam
the list), I'd appreciate it. There's a plugin but it won't let me
import my keyring.
On Sep 9, 2013, at 1:12 PM, Peter Saint-Andre stpe...@stpeter.im wrote:
Signed PGP part
On 9/9/13 11:02 AM, Cyrus Daboo wrote:
Hi Peter,
--On September 8, 2013 at 5:19:51 PM -0600 Peter Saint-Andre
stpe...@stpeter.im wrote:
But until the MUAs across the board support it out of
Hi Peter,
--On September 8, 2013 at 5:19:51 PM -0600 Peter Saint-Andre
stpe...@stpeter.im wrote:
But until the MUAs across the board support it out of the box, I
believe most people don't know about it or know what it means.
So that's an opportunity to educate people. For instance, perhaps
On 10/09/2013 01:58, Ted Lemon wrote:
...
Seriously, this perfectly illustrates the reason why PGP hasn't seen
widespread deployment: it doesn't address a use case that anybody understands
or cares about,
True story: Last Saturday evening I was sitting waiting for a piano
recital to start,
Chop?
Sent from my BlackBerry® Smartphone, regret typo's!
-Original Message-
From: Ted Lemon ted.le...@nominum.com
Sender: ietf-boun...@ietf.org
Date: Mon, 9 Sep 2013 13:58:34
To: IETF discussion listietf@ietf.org
Subject: Re: pgp signing in van
On Sep 9, 2013, at 8:43 AM, Michael
On 9/9/2013 1:09 PM, Brian E Carpenter wrote:
I've just discovered that when
you forward or reply to a message, you can just change the other
person's text by typing over it! You'd have thought they would
make that impossible.
Yes, they should have made that impossible.
Yeah, the pragmatics
On Sep 9, 2013, at 4:11 PM, Dan York dan-i...@danyork.org wrote:
Even in the groups where PGP was (and is) being used, usage is inconsistent
in part because people are now accessing their email using different devices
and not all of them have easy access to PGP/GPG. If you receive an
--On Tuesday, September 10, 2013 08:09 +1200 Brian E Carpenter
brian.e.carpen...@gmail.com wrote:
...
True story: Last Saturday evening I was sitting waiting for a
piano recital to start, when I overheard the person sitting
behind me (who I happen to know is a retired chemistry
professor)
On Sep 9, 2013, at 4:27 PM, Steve Crocker st...@shinkuro.com wrote:
Actually, I interpret the chemistry professor's comment in a different light.
It would be possible to design a system where:
o the standard end user software doesn't facilitate editing the other
person's text, and
o
On 9/9/2013 1:27 PM, Steve Crocker wrote:
Actually, I interpret the chemistry professor's comment in a
different light. It would be possible to design a system where:
o the standard end user software doesn't facilitate editing the other
person's text, and
o each piece of text is signed.
The
On 9/9/2013 4:09 PM, Brian E Carpenter wrote:
On 10/09/2013 01:58, Ted Lemon wrote:
...
Seriously, this perfectly illustrates the reason why PGP hasn't seen
widespread deployment: it doesn't address a use case that anybody
understands or cares about,
True story: Last Saturday evening I
On Sep 9, 2013, at 4:48 PM, Brian E Carpenter brian.e.carpen...@gmail.com
wrote:
Indeed. How one achieves such a fresh start is unclear.
G+, Facebook, etc. There's no shortage of fresh starts in the personal
communication space. They just don't typically look like typical SMTP/rfc822
Yes, I am speaking of what would be possible today with a fresh start. The
fresh start would also include signatures and encryption as a required part of
the design. (If everyone has to have a key, the key management problems would
be greatly reduced.)
Steve
On Sep 9, 2013, at 4:36 PM, Dave
On Mon, 9 Sep 2013, Ted Lemon wrote:
It might be worth thinking about why ssh and ssl work so well, and PGP/GPG
don't.
Umm, I question a conclusion that either ssh or ssl work well. ssh works
reasonably well around me because I can help everyone get the details
aligned. Even knowing all
Hi Brian,
At 13:48 09-09-2013, Brian E Carpenter wrote:
(Excuse my ignorance, but do existing MUAs allow one to edit a body part
that arrived with a PGP signature?)
Yes. Somebody would write a MUA to do it if it wasn't possible.
Regards,
-sm
Indeed. How one achieves such a fresh start is unclear.
G+, Facebook, etc. There's no shortage of fresh starts in the
personal communication space. They just don't typically look like
typical SMTP/rfc822 email. And of course, they substitute central
control for a distributed key model.
Actually, I interpret the chemistry professor's comment in a different light.
It would be possible to design a system where:
o the standard end user software doesn't facilitate editing the other person's
text, and
o each piece of text is signed.
The result would be a system where a recipient
On Sep 9, 2013, at 5:19 PM, David Morris d...@xpasc.com wrote:
On Mon, 9 Sep 2013, Ted Lemon wrote:
It might be worth thinking about why ssh and ssl work so well, and PGP/GPG
don't.
Umm, I question a conclusion that either ssh or ssl work well.
It's in widespread use. Hence, it works
On Sep 9, 2013, at 9:58 AM, Ted Lemon wrote:
Seriously, this perfectly illustrates the reason why PGP hasn't seen
widespread deployment: it doesn't address a use case that anybody understands
or cares about, and it appears to address a use case that people actually
would like to avoid.
On 10/09/2013 08:39, Steve Crocker wrote:
Yes, I am speaking of what would be possible today with a fresh start. The
fresh start would also include signatures and encryption as a required part
of the design. (If everyone has to have a key, the key management problems
would be greatly
On Monday, September 09, 2013 21:36:15 John Levine wrote:
Yes, they should have made that impossible.
Oh my, I _love_ this! This is actually the first non-covert use case I've
heard described, although I'm not convinced that PGP could actually do
this without message format tweaks.
To be clear, what I would like to see in an MUA that addresses the use case
Brian described is that it is just a new mime encoding that allows a message to
be pieced together from a collection of signed attachments. So in this
message, the mail would be encoded as two parts. The first would
On Sep 9, 2013, at 5:25 PM, Dave Crocker d...@dcrocker.net wrote:
1. Starting fresh means ceasing to interoperate (well) with Internet Mail.
We had quite a lot of exemplars of this when the Internet was starting to be
commercial; semantics matching was often awkward.
To be clear, what I
On Sep 9, 2013, at 5:36 PM, John Levine jo...@taugh.com wrote:
Sounds like we're on our way to reinventing S/MIME. Other than the
key signing and distribution (which I agree is a major can of worms)
it works remarkably well.
Right. That's the reason I don't use it. Completely naively, may
On Sep 9, 2013, at 5:21 PM, SM s...@resistor.net wrote:
Yes. Somebody would write a MUA to do it if it wasn't possible.
What they do not, however, do, is to fix up the signature so that it still
validates after the editing has been done.
Yes, they should have made that impossible.
Oh my, I _love_ this! This is actually the first non-covert use case I've
heard described,
although I'm not convinced that PGP could actually do this without message
format tweaks.
Sounds like we're on our way to reinventing S/MIME. Other than
On 9/9/13 5:17 PM, Ted Lemon wrote:
It might be worth thinking about why ssh and ssl work so well, and PGP/GPG
don't.
Because normally with SSL and SSH the complexity is in the server,
not the client. When the client needs to verify the identity of some
site with SSL we have the
On Sep 9, 2013, at 5:51 PM, Arturo Servin arturo.ser...@gmail.com wrote:
Because normally with SSL and SSH the complexity is in the server,
not the client. When the client needs to verify the identity of some
site with SSL we have the background browser process to check it (that
in fact it
On Mon, Sep 9, 2013 at 4:27 PM, Steve Crocker st...@shinkuro.com wrote:
Actually, I interpret the chemistry professor's comment in a different
light. It would be possible to design a system where:
o the standard end user software doesn't facilitate editing the other
person's text, and
o
Sounds like we're on our way to reinventing S/MIME. Other than the
key signing and distribution (which I agree is a major can of worms)
it works remarkably well.
Which sounds kind of like, Other than that Mrs. Lincoln, how was the play?
Yes, and no. PGP and S/MIME each have their own key
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Believe it or not Ted Nelson had a similar idea when he invented Xanadu
Hypertext. He was obsessed by copyright and the notion that it would be
wrong to copy someone else's text to another machine, hence the need for
links.
Well, yes, but he's never
On Sep 9, 2013, at 9:07 PM, John Levine jo...@taugh.com wrote:
Yes, and no. PGP and S/MIME each have their own key distribution
problems. With PGP, it's easy to invent a key, and hard to get other
people's software to trust it. With S/MIME it's harder to get a key,
but once you have one,
Yes, and no. PGP and S/MIME each have their own key distribution
problems. With PGP, it's easy to invent a key, and hard to get other
people's software to trust it. With S/MIME it's harder to get a key,
but once you have one, the software is all happy.
That's a bug, not a feature. The
On Sep 9, 2013, at 9:26 PM, John R Levine jo...@taugh.com wrote:
Um, didn't this start out as a discussion about how we should try to get
people using crypto, rather than demanding perfection that will never
happen?
Yes.
Typical S/MIME keys are issued by CAs that verify them by
sending you
Typical S/MIME keys are issued by CAs that verify them by
sending you mail with a link. While it is easy to imagine ways that
could be subverted, in practice I've never seen it.
The most obvious way that it can be subverted is that the CA issues you a key
pair and gives a copy of the private
On 09/09/2013 05:17 PM, Ted Lemon wrote:
On Sep 9, 2013, at 4:11 PM, Dan York dan-i...@danyork.org wrote:
Even in the groups where PGP was (and is) being used, usage is
inconsistent in part because people are now accessing their email
using different devices and not all of them have easy
On Sep 9, 2013, at 11:36 PM, Paul Wouters p...@nohats.ca wrote:
Related (does not take away the full pain):
Nice. I think section 4.2 is slightly too pessimistic, but not harmfully so.
It might be worth talking about leap-of-faith validation as well as
web-of-trust validation.
--On Friday, September 06, 2013 19:50 -0800 Melinda Shore
melinda.sh...@gmail.com wrote:
On 9/6/13 7:45 PM, Scott Kitterman wrote:
They have different problems, but are inherently less
reliable than web of trust GPG signing. It doesn't scale
well, but when done in a defined context for
Phillip Hallam-Baker hal...@gmail.com wrote:
Could we do smime as well?
If we had a list of smime cert fingerprints it can be used for trust
reinforcement
Sure, but how does one establish any kind of web of trust in smime?
I have to gather everyone's certificate, and I get no
I have removed the attribution of this comment on purpose, because it applies
to multiple people, and I want to attack a behaviour, not a person:
This is what I mean by a high bar. Signing someone's PGP key should
mean
I know this person as X, not this person is X.
Dilution of
On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca wrote:
To all the people who posted to this thread about how they don't know what
a PGP key signature means, and who did not PGP or S/MIME their email:
What's the upside to signing my email? I know why I want everybody I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/8/13 3:50 PM, Ted Lemon wrote:
On Sep 8, 2013, at 5:33 PM, Michael Richardson
mcr+i...@sandelman.ca wrote:
To all the people who posted to this thread about how they don't
know what a PGP key signature means, and who did not PGP or
S/MIME
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/8/13 5:09 PM, Hector Santos wrote:
On 9/8/2013 6:21 PM, Peter Saint-Andre wrote:
On 9/8/13 3:50 PM, Ted Lemon wrote:
What's the upside to signing my email? I know why I want
everybody I know to sign my email, but what's the upside for
Subject: Re: pgp signing in van Date: Sun, Sep 08, 2013 at 09:50:19PM +
Quoting Ted Lemon (ted.le...@nominum.com):
On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca wrote:
To all the people who posted to this thread about how they don't know what
a PGP key signature
]
Sent: 08 September 2013 22:50
To: Michael Richardson
Cc: IETF discussion list
Subject: Re: pgp signing in van
On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca wrote:
To all the people who posted to this thread about how they don't know what
a PGP key signature means, and who
On 9/6/13 6:33 PM, Phillip Hallam-Baker wrote:
Almost everyone arriving in Vancouver will have a passport in any
case. The protocol will probably be something like provide your key
etc data in advance, print something out and present that plus your ID
document in the ceremony.
p style=snark
On Fri, Sep 06, 2013 at 11:39:59PM -0400, Phillip Hallam-Baker wrote:
For purposes of email security it is not about the keys at all. It is the
email addresses that are the real killer.
I can be very sure that I have the right key for ted.le...@nominum.com but
is that who I know as Ted
On 9/6/2013 10:35 PM, Melinda Shore wrote:
One of the useful things that PKI provides is some agreement,
at least, about what we expect from certification authorities
and what it means to issue and sign a certificate. That is
to say, the semantics are reasonably well sorted-out, which is
not
On Sat, Sep 7, 2013 at 11:29 AM, Theodore Ts'o ty...@mit.edu wrote:
On Fri, Sep 06, 2013 at 11:39:59PM -0400, Phillip Hallam-Baker wrote:
For purposes of email security it is not about the keys at all. It is the
email addresses that are the real killer.
I can be very sure that I have the
On 9/6/2013 11:04 PM, Ted Lemon wrote:
On Sep 6, 2013, at 10:35 PM, Melinda Shore melinda.sh...@gmail.com wrote:
I actually don't think that pgp is likely to be particularly
useful as a serious trust mechanism, mostly because of
issues like this.
It's not at all clear to me that serious trust
To: IETF Disgust
Subject: pgp signing in van
so, it might be a good idea to hold a pgp signing party in van. but
there are interesting issues in doing so. we have done lots of parties
so have the social protocols and n00b cheat sheets. but that is the
trivial tip of the iceberg.
o is pgp
Dave:
is pgp compromised?
PGP is a packaging method. Absent grossly incompetent packaging -- and I've
never heard claims that PGP or S/MIME were guilty of that -- my sense is that
the interesting security mechanisms are the underlying algorithms.
Is there something about PGP that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/6/13 11:17 AM, Michael Richardson wrote:
We just put our GPG fingerprint into the MEMO part of a vcard,
Actually, vCard has a KEY field:
http://tools.ietf.org/html/rfc6350#section-6.8.1
Peter
- --
Peter Saint-Andre
https://stpeter.im/
I will be happy to participate in a pgp signing party.
Organized or not.
I suggest that an appropriate venue is during the last 15 minutes of the
newcomer welcome and the first 15 minutes of the welcome reception.
Because:
1) the WG-chairs and IESG will all be there, and a web of trust
On Sep 6, 2013, at 2:51 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
The issue is that smime email clients are more common so I would
rather teach the smime doggie pgp like tricks than vice versa
The problem is getting your smime program to stop using CA keys and only use
your local key as
Could we do smime as well?
If we had a list of smime cert fingerprints it can be used for trust
reinforcement
The issue is that smime email clients are more common so I would
rather teach the smime doggie pgp like tricks than vice versa
Sent from my difference engine
On Sep 6, 2013, at 1:20
On 9/6/2013 10:17 AM, Michael Richardson wrote:
I will be happy to participate in a pgp signing party.
Organized or not.
I suggest that an appropriate venue is during the last 15 minutes of the
newcomer welcome and the first 15 minutes of the welcome reception.
Because:
1) the WG-chairs
On Fri, Sep 6, 2013 at 3:34 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 6, 2013, at 2:51 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
The issue is that smime email clients are more common so I would
rather teach the smime doggie pgp like tricks than vice versa
The problem is
On Fri, Sep 6, 2013 at 6:42 PM, Joe Touch to...@isi.edu wrote:
On 9/6/2013 10:17 AM, Michael Richardson wrote:
I will be happy to participate in a pgp signing party.
Organized or not.
I suggest that an appropriate venue is during the last 15 minutes of the
newcomer welcome and the first
On Sep 6, 2013, at 6:42 PM, Joe Touch to...@isi.edu wrote:
I've noted elsewhere that the current typical key-signing party methods are
very weak. You should sign only the keys of those who you know well enough to
claim you can attest to their identity.
This is a ridiculously high bar. The
On 9/6/13 4:10 PM, Ted Lemon wrote:
On Sep 6, 2013, at 6:42 PM, Joe Touch to...@isi.edu wrote:
I've noted elsewhere that the current typical key-signing party
methods are very weak. You should sign only the keys of those who
you know well enough to claim you can attest to their identity.
On Sep 6, 2013, at 8:21 PM, Melinda Shore melinda.sh...@gmail.com wrote:
when you vouch for someone's identity - in an authoritative
trust system - you're also vouching for the authenticity of
their transactions.
This is what I mean by a high bar. Signing someone's PGP key should mean I
On 9/6/13 5:09 PM, Ted Lemon wrote:
This is what I mean by a high bar. Signing someone's PGP key
should mean I know this person as X, not this person is X.
I have no idea what should means in this context. It seems
to me, from looking at this discussion (as well as from other
discussions
On 9/6/2013 5:10 PM, Ted Lemon wrote:
On Sep 6, 2013, at 6:42 PM, Joe Touch to...@isi.edu wrote:
I've noted elsewhere that the current typical key-signing party
methods are very weak. You should sign only the keys of those who you
know well enough to claim you can attest to their identity.
Phillip Hallam-Baker hal...@gmail.com wrote:
On Fri, Sep 6, 2013 at 6:42 PM, Joe Touch to...@isi.edu wrote:
On 9/6/2013 10:17 AM, Michael Richardson wrote:
I will be happy to participate in a pgp signing party.
Organized or not.
I suggest that an appropriate venue is during the last 15
On Sep 6, 2013, at 9:24 PM, Melinda Shore melinda.sh...@gmail.com wrote:
I'm not sure why
I know this person as X provides much more reliability
than someone asserting their own identity.
Actually it's quite useful. It allows me to differentiate email coming from
someone I know as X from
On Sep 6, 2013 9:10 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 6, 2013, at 8:21 PM, Melinda Shore melinda.sh...@gmail.com wrote:
when you vouch for someone's identity - in an authoritative
trust system - you're also vouching for the authenticity of
their transactions.
This is what
On Sep 6, 2013, at 10:18 PM, Scott Brim scott.b...@gmail.com wrote:
Dilution of trust is a problem with PGP. I know this person as X is way too
lax if you want the system to scale.
It's naive to think that keys are any more trustworthy than this, because any
signature's trustworthiness is
On 9/6/13 6:24 PM, Ted Lemon wrote:
It's naive to think that keys are any more trustworthy than this,
because any signature's trustworthiness is only as good as the
trustworthiness of the individual who decides to sign it. If you
trust a key signed by someone you don't know, but who someone
1 - 100 of 111 matches
Mail list logo