-----BEGIN PGP SIGNED MESSAGE----- Message-Signature-Date: Wed Sep 27 14:33:28 1995
Date: Wed, 27 Sep 1995 10:39:21 -0700 From: tcmay@got.net (Timothy C. May)
At 4:28 PM 9/27/95, Travis Corcoran wrote:
As the author of the package in question, I would like to point out:
(1) the email msg Tim refers to (hereafter refered to by me as "query-mail") was a request for information, not a warning
I don't sign my messages, never have, so I see no way this "agent" Travis ran could find such a signed message from me.
OK, then this sidetracks the discussion, as it seems we've got a bug in either software behavior (despite a fair amount of testing) or user behavior. If it's the former, I apologize for any hassle my software caused. I'll investigate this and issue a fix if it is a software problem. However, I remind you that the query-mail said in it - ------------------------------ snip! ------------------------------ If there is a bug w this sftwr (for example, you never PGP sign your msgs, so this entire msg makes no sense) [ ... ] please mail the author of this package ( tjic@openmarket.com ) - ------------------------------ snip! ------------------------------ For future reference, if anyone finds a bug in any of my software (free or otherwise), it is much more likely to get fixed by mailing me directly than by posting a manifesto about the class of software as a whole to a mailing list or newsgroup.
A question: in a situation like this one, where an individual signed a message with a key then did not make a key with the return address of his message available [ ... ] what next step -if any- do people think is more appropriate than sending mail to the individual asking them for a copy of the key ?
Ignore it. Why hassle people who have no plan or finger configurations?
Well, during the year or so I've been using my package I've tried to verify thousands of posts. In hundreds of these times, I've not had the key on hand and had to use finger or the keysevers. In dozens of these times, finger and the keyserver failed, I sent mail to the original poster, and got a response back along the lines of: "Unfortunately finger doesn't work at my site, but my key is on the keysever...oh, wait...the address on the key is 6 months out of date! Sorry! Just updated it. { Try now. | My updated key is below }." Thus, history has shown that it is often quite valid to ask people for their keys when all other avenues have been exhausted. Further, I imagine that the vast majority of people who sign public UseNet messages intend for their messages to be verifiable, and thus find it reasonable to be asked for their keys if their keys are not easilly available. If anyone thinks this is an incorrect assumption, I'd like to hear their thinking.
Besides, people who really want to communicate with me with PGP simply ask for it.
Uh...isn't that the purpose that the query mail ("Please mail me your key. Thank you.") was serving? I'm not sure whether you're objecting to someone asked for your key, or the fact that they did it through a semi-automated process. I posted an idea for a scheme recently that would convey the datum "I prefer PGP-encrypted mail" to intelligent cryptography-aware news/mail-readers. Perhaps the same scheme should be used to convey the datum "I do feel the need for my PGP-signed messages to be verified. Please do not ask me for my key." While it would be easy enough to implement, I'm not sure how many people would choose to encode this tag into their sig block or headers...
If you don't like this, fine. But don't robo-interrogate and send robo-warnings.
I think the phrase "robo-interogate" is pretty strong for sending a piece of email that has as its central message "Please mail me your key. Thank you." The phrase "robo-warnings" is even less appropriate and relevant. For the record, the full text of the query mail (including all three uses of the word "please", and all 0 references to "warnings", "interogations", and "truncheons" ) is: - ------------------------------ snip! ------------------------------ To: < mail-signer > Subject: please send me your PGP public key Hello. While reading either email or UseNet I came across a PGP signed msg from you, but did not have your public key to verify it with. My mail/newsreader fingered your account for your key and failed. It then tried to get your key from the keyserver at < keyserver-address > but the key was not there. Please mail me your key. Thank you. (If you think that the key should be there, be aware that my mailreader searched for the key by your email addr as seen by me - the same addr *this* piece of mail is being sent to. If you registered a key with the server, that key may not have on it your addr as it is seen by the rest of the world.) P.S. This mail was composed by my mailreading sftwr, which automatically scans incoming mail, looking for failed keyserver requests, and prompts me whether it should automatically send this msg on my behalf. If there is a bug w this sftwr (for example, you never PGP sign your msgs, so this entire msg makes no sense), or if you're interested in the software itself (mail-secure.el: a package in lisp for emacs; this is just one of the many crypto/privacy related things it does) please mail the author of this package ( tjic@openmarket.com) for details. - ------------------------------ snip! ------------------------------ If anyone has a constructive suggestion as to how this mail could be changed to convey more information or to be less "threatening", please mail me. - -- TJIC (Travis J.I. Corcoran) http://www.openmarket.com/personal/tjic/ Member EFF, GOAL, NRA. opinions (TJIC) != opinions (employer (TJIC)) "Buy a rifle, encrypt your data, and wait for the Revolution!" PGP encrypted mail preferred. Ask me about gnuslive.el for emacs. -----BEGIN PGP SIGNATURE----- Version: 2.6 Comment: auto-signed by mail-secure.el v 0.998 using mailcrypt.el Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMGmY+YJYfGX+MQb5AQGIvQP+KWoHrZeFYqWdyTe8K4iUrXvL6xtjG9S4 QLIkk2n6Zmzw9lNc915B6teYgFf55EI6H1NIyrT8RQXS6TfinlphNc9kH0YJqWjE SIpEmfre6HuvHfYcWHLGb8hgX0Smwfvoq/nVqy3DT1H7s0Sbm4Ko532BOUKKzVxY r2VLj5XmzEg= =ptpV -----END PGP SIGNATURE-----