North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Evil PGP sigs thread must die. was Re: Stop it withputting your e-mail body in my MUA OT

  • From: Brad Knowles
  • Date: Mon Jul 15 11:41:50 2002

At 3:01 PM -0400 2002/07/10, Andy Dills wrote:

                      The passive assumption is that your words are
 important enough that somebody might want to verify them.
Correct. This statement will be true for just about everyone, at some point in their life.

                                                           So, does EVERY
 email need to be pgp signed?
Do you need to use ssh every time you access a server remotely? Surely you know when your line is being tapped or when your packets are being sniffed, and you choose only those times to use ssh, and otherwise you use telnet? Same goes for actually using passwords to login -- surely you know when it's a legitimate user that is trying to login and when it's someone trying to gain illicit access to your system, and you require them to use passwords accordingly?

 When was the last time somebody on this list bothered to check the
 validity of a pgp signed message which they received via nanog?
When was the last time anyone on this list bothered to check the validity of any message they received via any channel? I mean, if you're going to use probability to support your argument, you might as well widen the discussion to a much broader sample group.

 I mean, if John Sidgmore posted to that from now on, Worldcom's official
 pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a
 second unless it was signed and I verified it.
Not everything is black and white. At what level would you choose to validate a message like this?

--
Brad Knowles, <[email protected]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.