Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT

Mon Jul 15 15:34:36 UTC 2002

At 3:01 PM -0400 2002/07/10, Andy Dills wrote:

>                       The passive assumption is that your words are
>  important enough that somebody might want to verify them.

	Correct.  This statement will be true for just about everyone, at 
some point in their life.

>                                                            So, does EVERY
>  email need to be pgp signed?

	Do you need to use ssh every time you access a server remotely? 
Surely you know when your line is being tapped or when your packets 
are being sniffed, and you choose only those times to use ssh, and 
otherwise you use telnet?  Same goes for actually using passwords to 
login -- surely you know when it's a legitimate user that is trying 
to login and when it's someone trying to gain illicit access to your 
system, and you require them to use passwords accordingly?

>  When was the last time somebody on this list bothered to check the
>  validity of a pgp signed message which they received via nanog?

	When was the last time anyone on this list bothered to check the 
validity of any message they received via any channel?  I mean, if 
you're going to use probability to support your argument, you might 
as well widen the discussion to a much broader sample group.

>  I mean, if John Sidgmore posted to that from now on, Worldcom's official
>  pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a
>  second unless it was signed and I verified it.

	Not everything is black and white.  At what level would you 
choose to validate a message like this?

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.