[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Enigmail] New user part 2 Robert J. Hansen Tue Apr 10 11:01:46 2012

On 4/9/12 6:06 PM, Kristian Fiskerstrand wrote:
> To some extent I disagree with your points (b,c). In my opinion 
> providing a signature can also be useful without specifying a trust 
> level of the sender's key - especially on a mailing list, as it
> allows you to verify that both message A and message B is coming from
> sender S. This can have value even though you haven't verified S's
> key and specified a trust level of the key to the extent imposter I
> sends message C claiming to be sender S.


A few years ago over on PGP-Basics one particular person was claiming
this.  And not just claiming it politely, as you are, but making a big
shouting fit every time someone posted a non-signed message to the list.
 He made the same argument you did.

John Moore, John Clizbe and I decided we'd make a point.  We shared a
keypair among the three of us and started using this to sign all our
posts.  We never uploaded the certificate to the keyservers.

This person who was screaming the loudest about the benefits of signed
messages thanked us for how we were now signing our messages.

Nobody noticed we were all using the same certificate for ... I don't
recall.  I think it was at least three months, though.  Some people were
very angry with us for our shenanigans, but (forgive me for speaking for
the three of us: John Clizbe will certainly correct me if I'm wrong) we
thought it was a useful demonstration of why signed messages from
unknown, untrusted individuals are not as useful as people like to think.

It's also worth noting: we weren't trying to fool anyone.  We were quite
openly using the same certificate.  There were, are, many things we
could have done in order to make our skulduggery more difficult to
detect.  We made it as easy as possible for people to notice, and it
still took an entire mailing list months and probably almost 100
messages between the three of us to notice, "hey, these three guys are
using the same certificate...".
Enigmail mailing list