Re: PGP posting validation
Robert A. Hayden [hayden@krypton.mankato.msus.edu] wrote:
Here's my two cents' worth- how about a filter on incoming mail to the list that performs these functions: 1) check the incoming post for a PGP signature 2) If a sig is found, check it against the list's public keyring
Hmm.. this would allow us to prove that THE LIST thinks he's who he says he is.. or who THE LIST tells us he is.. Now, I am not paranoid against THE LIST, but I suggest that THE PEOPLE should not filter THEIR thoughts. What of censorship [on an aside, is there a censor apprenticeship? Why the 'ship?']!? If you must censor.. censor your own messages with filters running on your own machine.. maybe even publish your filter list to the net so we can all understand each other. Remember that there will always be a percentage of noise in any public forum.. there is no average without these outliers. For a group SO interested in RANDOM numbers, some people sure do want to organize everything. TTFN. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - DrZaphod #Don't Come Any Closer Or I'll Encrypt! - - [AC/DC] / [DnA][HP] #Xcitement thru Technology and Creativity - - [drzaphod@brewmeister.xstablu.com] [MindPolice Censored This Bit] - - 50 19 1C F3 5F 34 53 B7 B9 BB 7A 40 37 67 09 5B - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNED MESSAGE----- On Sun, 16 Jan 1994, DrZaphod wrote:
Robert A. Hayden [hayden@krypton.mankato.msus.edu] wrote:
Just to verify, I followed up to a previous posting, it wasn't mine originally :-)
Here's my two cents' worth- how about a filter on incoming mail to the list that performs these functions: 1) check the incoming post for a PGP signature 2) If a sig is found, check it against the list's public keyring
Hmm.. this would allow us to prove that THE LIST thinks he's who he says he is.. or who THE LIST tells us he is.. Now, I am not paranoid against THE LIST, but I suggest that THE PEOPLE should not filter THEIR thoughts. What of censorship [on an aside, is there a censor apprenticeship? Why the 'ship?']!? If you must censor.. censor your own messages with filters running on your own machine.. maybe even publish your filter list to the net so we can all understand each other. Remember that there will always be a percentage of noise in any public forum.. there is no average without these outliers. For a group SO interested in RANDOM numbers, some people sure do want to organize everything. TTFN.
Please don't take this as confrontational (ie, this is not a flame :-) How would requiring that postings made to a list be verifyable be censorship? What it does is verify that REAL people posted the message and that the person who's address is on the message is actually the person that posted it. Now, granted, I suppose it could end up dumping some postings because they were forged, and that is sort of censoring. But it isn't censoring based on content, but based on the fact that it appears to be a forgery. And by bouncing a message back to the person that posted it, you give them an opportunity to repost (this time signed) in case they forgot. Also, as for the filter idea. If some jerk is posting a message as appearing to come from schmuck@foo.bar.com, yes, I could add that address to my filter and delete it before i see it, but if the jerk starts posting as coming from idjit@bar.foo.com, I'd have to add another filter line. By doing a check of the digital signature against the posters public key, you eliminate most instances of forgery. Of course, if the poster's key is compromised, that's a different story. ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> To flame me, log on to ICBMnet and \/ Finger for PGP 2.3a Public Key <=> target 44 09' 49" N x 93 59' 57" W - -=-=-=-=-=-=-=- (GEEK CODE 1.0.1) GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++ n-(---) h+(*) f+ g+ w++ t++ r++ y+(*) -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLTnJ/53BsrEqkf9NAQEUNgP/ZcToPpXmZ1LodtlMUi3xibxppUEAKv5H czC97H08Lewk+E9Ss2eRjJWWfMsqTE7Yo1o7iAD+aB6dhrpSLNJ4XuTLD/Z8SWO2 OeWZTgSp1gwAbqrQBRyIkq0Ocu5GgI9bURzqoSfUQ6s1sPi8fSqICghG0vV5sXYd IFqoEJQSTPc= =sIKV -----END PGP SIGNATURE-----
Robert A. Hayden [hayden@krypton.mankato.msus.edu] wrote:
Just to verify, I followed up to a previous posting, it wasn't mine originally :-)
Yep.. sorry about the confusion.. I wiped the first msg.. and only had your reply to go on. Now on to the topic at hand.
Please don't take this as confrontational (ie, this is not a flame :-)
I always associated flames with rash, unfounded accusations.. It's ok to confront.. |-]
How would requiring that postings made to a list be verifyable be censorship? What it does is verify that REAL people posted the message and that the person who's address is on the message is actually the person that posted it.
No, verifying identities [even pseudonyms] is fine.. if you trust THE LIST.. which is also fine.. but it does leave a gap. [note: this filter approach is similar to the Clipper chip in that it provides a [possibly] false sense of security -- if people want to filter what they see, trust in themselves and don't filter what other people see] This also eliminates anonymous postings. Well.. unless the filters are willing to let all messages that are from people NOT registered with THE LIST thru..
Now, granted, I suppose it could end up dumping some postings because they were forged, and that is sort of censoring. But it isn't censoring based on content, but based on the fact that it appears to be a forgery.
If THE LIST wants to tack on a little note at the top of every msg saying "VERIFIED AUTHOR WITH LIST DATABASE" then fine.. but don't FILTER it.
And by bouncing a message back to the person that posted it, you give them an opportunity to repost (this time signed) in case they forgot.
a warning from THE LIST, no less.
Also, as for the filter idea. If some jerk is posting a message as appearing to come from schmuck@foo.bar.com, yes, I could add that address to my filter and delete it before i see it, but if the jerk starts posting as coming from idjit@bar.foo.com, I'd have to add another filter line.
If THE LIST can filter msgs by PGP sigs, then so can you. It will be no more work for you.
By doing a check of the digital signature against the posters public key, you eliminate most instances of forgery. Of course, if the poster's key is compromised, that's a different story.
By trusting validation to just HAPPEN to your incoming mail on some remote location is ludicrous. In conclusion. . . All too often people want to patch a problem and have it go away.. for everyone. Why don't we make the solution available to everybody, not make the solution for everybody. Nice chatting, Robert. I'm sure I'll be seeing more. TTFN.
____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - DrZaphod #Don't Come Any Closer Or I'll Encrypt! - - [AC/DC] / [DnA][HP] #Xcitement thru Technology and Creativity - - [drzaphod@brewmeister.xstablu.com] [MindPolice Censored This Bit] - - 50 19 1C F3 5F 34 53 B7 B9 BB 7A 40 37 67 09 5B - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Robert A. Hayden [hayden@krypton.mankato.msus.edu] wrote:
Here's my two cents' worth- how about a filter on incoming mail to the list that performs these functions: 1) check the incoming post for a PGP signature 2) If a sig is found, check it against the list's public keyring
Hmm.. this would allow us to prove that THE LIST thinks he's who he says he is.. or who THE LIST tells us he is.. Now, I am not paranoid against THE LIST, but I suggest that THE PEOPLE should not filter THEIR thoughts. What of censorship [on an aside, is there a censor apprenticeship? Why the 'ship?']!? If you must censor..
// // // // // As to why you might want to check against a list, consider it private and a priviledge to participate in. Another example, 'punksters decide to work collaboratively on a project and want to restrict the exposure/discussion to trusted list members to protect the project from outside influence/intervention, Bottom line, don't you want to know that the person you think you are respondingto today is the same person you were communicating last week etc? Don't you want to keep someone from pretending to be you and sending out opinions etc. which might damage your reputation or misrepresent you? This is NOT censorship i.e. it does NOT stop you from expressing your views, it only ensures that a message which appears to be from you really IS from you. -Jim
--I said--
Hmm.. this would allow us to prove that THE LIST thinks he's who he says he is.. or who THE LIST tells us he is.. Now, I am not paranoid against THE LIST, but I suggest that THE PEOPLE should not filter THEIR thoughts. What of censorship [on an aside, is there a censor apprenticeship? Why the 'ship?']!? If you must censor..
--Jim says--
As to why you might want to check against a list, consider it private and a priviledge to participate in.
Sounds along the lines of "It's a privilage, not a right" [granted, this is a privately run list.. but that's not what we're about.. at least that's what I've been led to believe]
Bottom line, don't you want to know that the person you think you are respondingto today is the same person you were communicating last week etc? Don't you want to keep someone from pretending to be you and sending out opinions etc. which might damage your reputation or misrepresent you?
I want to know that the people I'm talking to are the people I think they are.. and that is why I do my own authentication, when I can. If I trust the machine to do it for me, then I've just shot two large holes in my objective. [THE LIST database could me tampered with; The PGP sigs could be forged from the start]
This is NOT censorship i.e. it does NOT stop you from expressing your views, it only ensures that a message which appears to be from you really IS from you.
It IS censorship if people's posts are trashed because they are either anonymous or a forger.. even forged posts are sometimes important.. See my other posts regarding LIST authentication, not filtering. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - DrZaphod #Don't Come Any Closer Or I'll Encrypt! - - [AC/DC] / [DnA][HP] #Xcitement thru Technology and Creativity - - [drzaphod@brewmeister.xstablu.com] [MindPolice Censored This Bit] - - 50 19 1C F3 5F 34 53 B7 B9 BB 7A 40 37 67 09 5B - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
participants (3)
-
drzaphod@brewmeister.xstablu.com -
jdwilson@gold.chem.hawaii.edu -
Robert A. Hayden