North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT
On Mon, 15 Jul 2002, Brad Knowles wrote: > > So, does EVERY > > email need to be pgp signed? > > Do you need to use ssh every time you access a server remotely? Every time the device runs ssh and I have to type a password, yes. > Surely you know when your line is being tapped or when your packets > are being sniffed, and you choose only those times to use ssh, and > otherwise you use telnet? There's some degree of truth to this. For instance, most of my routers do not run ssh. However, I control the network between here and there, so I am comfortable that nobody is capable of sniffing the session, so I am comfortable using telnet and not going through an OOB connection. > Same goes for actually using passwords to > login -- surely you know when it's a legitimate user that is trying > to login and when it's someone trying to gain illicit access to your > system, and you require them to use passwords accordingly? Of course not. In the previous two situations, a human is making decisions, "judgement calls". This situation, you're asking a computer to do so. Bad analogy. > > When was the last time somebody on this list bothered to check the > > validity of a pgp signed message which they received via nanog? > > When was the last time anyone on this list bothered to check the > validity of any message they received via any channel? I mean, if > you're going to use probability to support your argument, you might > as well widen the discussion to a much broader sample group. So why is it that people are bothering to sign their posts to nanog if nobody cares if the people are who they say they are? > > I mean, if John Sidgmore posted to that from now on, Worldcom's official > > pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a > > second unless it was signed and I verified it. > > Not everything is black and white. At what level would you > choose to validate a message like this? "Not everything is black and white." Does that mean you agree with me that not everything needs to be signed? Or does that mean you agree with me in that a judgement call must be made? Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
|