Detweiler wrote...
On Sat, 18 Nov 1995, jim bell wrote:
anonymous writes:
I still feel such a sense of violation with what LD did, such an utter sense of helplessness at the character assassination I've suffered at his hands,
So use PGP, sign your messages. Simple solution.
Absolutely! Anybody who uses anonymous remailers to post to public areas, and does not use digital signatures to prevent spoofing when it is obviously needed, is a fool or worse.
Most people believe THAT a digital signature is evidence that I am who my signature _says_ I am when it really doesn't do that at all. It isn't reliable at all.
Unfortunately, I've learned the hard way NOT to do that. Digital signatures don't prevent spoofing.
In fact, I think that thinking something is secure when it isn't leads to even more trouble, and could even lead to many tragedies.
In a nutshell, here's the problem.
WARNING! WARNING! WARNING! BIG "IF" COMING UP! BIG "IF" COMING UP!!!
If someone takes my pgp secret keyring and my password, then they can ^^
sign a message *digitally* so that people believe the spoofed message is really from me. In fact, since most people tend to rely on a pgp message far more than a non-pgp message, most people would be absolutely convinced that the message was in fact from me.
Pardon me, but what was the point of that last comment? It is an obvious statement of fact that yes, IF IF IF somebody had a secret key AND password, he could duplicate a signature. Digital signatures allow a person to exclude others from being able to sign messages as if they are from him. True, a person could simply publish his secret key and password, at which point everyone could sign notes as if they came from him, but that wouldn't be "interesting" because most people would have no reason to do so.
Signing with PGP is just not a solution.
It is, apparently, in the vast majority of possible situations. Why would you even try to disagree? Oh, yes, I forgot... you're Detweiler.