Digital Signing (Beat The Dead Horse) was Re: Free Software for m$

Voltage Spike plug-discuss@lists.plug.phoenix.az.us
Thu, 26 Sep 2002 11:36:46 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Wednesday, September 25, 2002, at 09:59 AM, Thoreau wrote:

> I see an attachment, if I don't know what it is, the message is 
> deleted.
> The message better have a damn hefty description for me to even 
> consider
> opening it. I do not need a signature to tell me wether or not to open 
> a
> file. Common sense, and even an up-to-date virus scanner can do 
> wonders for
> keeping you safe.

It is unfortunate that some e-mail clients do not handle the standards 
properly.  I should think it would be possible, however, to view an 
attachment with executing it.  Assuming that MIME is being used (which 
sounds like the case), shouldn't Outlook Express recognize that the 
attachment is "text/plain"?

Just as an aside, many mail clients place a forwarded e-mail as an 
attachment (I suppose to distinguish between the original and the 
recipient's comments.  This, too, should open properly in Outlook 
Express, right?  If so, then what is the difference here?

> Suppose someone gains unauthorized access to Derek's machine?  That 
> person
> could send out anything they want, signed, and I would be putting my 
> faith
> in that signature?  Not likely.

The first problem is that someone must gain access to Derek's machine 
with sufficient privileges to access his stored keys (assuming that the 
keys are stored on the disk and not a removable device).

The second problem is that they must discover his passphrase in order 
to use the private key (the keys are encrypted on the disk).

The third problem (I think . . . I get a bit hazy here) is that if 
Derek learns of the intrusion he can expire the key so that it may not 
be used again.   However, I think a previous poster was demonstrating 
that the keys can still be used because it doesn't (at least by 
default) check the key server upon every use.

- -- 
                                                            Voltage Spike
       ,,,
      (. .)
- --ooO-(_)-Ooo--

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)

iD8DBQE9k1PDpNoctRtUIRQRAniwAJoDmA7b58PajXyaO4ZpbSK7Hud5xACeIyVY
KI+a97H9deOzmBilMbixqzA=
=Mhco
-----END PGP SIGNATURE-----