Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 28 Jun 2000, Chad Miller wrote:

> I had an aquaintence ``sign my key'' and I '--import'ed the key he
> mailed back to me.
>
> Since the time I delivered my key to him, I deleted the UID and created
> another with a comment in it.
>
> The import noted the addition of a UID and a signature, and when I
> list my signatures, I note that his signature is attached to the one
> I previously removed.
>
> It seems that if I remove the UID, the signature is removed. I'm
> surprised.
>
> What happens if you change ISPs or names? Must one get all signers of
> your UID to resign the new UID?

Absolutely... If I get Abe Lincoln, Martin Luthur King, and
Gandhi to sign <billy@dadadada.net> to my key, and then pull a
switcheroo to make that a key for <bill@whitehouse.gov>, I
shouldn't be able to use their signatures to help me pull off
such a fraud. That's not what they signed...

> Feature or bug?

Feature!
You accumulate signatures on your UID+key, not the key itself.
A signature asserts a relation of a UID to the key.

See, this prevents someone from removing the uid,
reinserting their own, and having the key maintain the same trust level
with your friends.. If a UID changes, then the signatures attaching
that UID to the key have to be discarded.

- --
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue <mailto:billy@dadadada.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75

iD8DBQE5WouB+2VvpwIZdF0RAg/wAJsEqwQZCITEf5uwrDMhxTow/X8zwwCggjZ3
Q/tr60EY2aRuKU1TZW82fMQ=
=7+WE
-----END PGP SIGNATURE-----

On Wed, Jun 28, 2000 at 07:34:24PM -0400, Billy Donahue wrote:
> You accumulate signatures on your UID+key, not the key itself.
> A signature asserts a relation of a UID to the key.


...but a fingerprint or keyid doesn't assert UID at all. So, when you're
at a keysigning party, you should demand the UID as well?

Hmmm. I think I agree with this, but I suggest a change to the docs to
add as the primary UID only information that should never change, and add
UIDs later to contain email addresses and other ephemeral info after it.

It'd be a shame to get plenty of signatures on a single-UID key and have
your ISP go tits-up.

- chad

--
Chad Miller <cmiller@surfsouth.com> URL: http://web.chad.org/ (GPG)
"Any technology distinguishable from magic is insufficiently advanced".
First corollary to Clarke's Third Law (Jargon File, v4.2.0, 'magic')

* Chad Miller <cmiller@surfsouth.com> [000629 02:46]:
> ...but a fingerprint or keyid doesn't assert UID at all. So, when you're
> at a keysigning party, you should demand the UID as well?

Yes, you should.

> It'd be a shame to get plenty of signatures on a single-UID key and have
> your ISP go tits-up.

There's a better solution: Why you don't get a mail address
which you can use your whole life? There are much services
where you can get such an address, for example Hotmail.com
or Netforward.com.

Cheers, Thomas
--
.-. Thomas Bader · thomasb@trash.net.remove · http://www.t-bader.ch/ .-.
oo| oo|
/`'\ Einen Unix-Shellaccount gibt es unter http://www.trash.net/ /`'\
(\_;/) PGP Key-ID: 0x3A4B7F5D (RSA) 0x7584F5D8 (DSA/EG) (\_;/)

>>>>> "Thomas" == Thomas Bader <thomasb@trash.net> writes:


Thomas> * Chad Miller <cmiller@surfsouth.com> [000629 02:46]:

>> It'd be a shame to get plenty of signatures on a single-UID key
>> and have your ISP go tits-up.

Thomas> There's a better solution: Why you don't get a mail
Thomas> address which you can use your whole life? There are much
Thomas> services where you can get such an address, for example
Thomas> Hotmail.com or Netforward.com.

With a hotmail address it would be very difficult to use your key with
your messages.

-walter

* Walter Truitt <walter.truitt@usa.alcatel.com> [000629 15:58]:
> >>>>> "Thomas" == Thomas Bader <thomasb@trash.net> writes:
> Thomas> * Chad Miller <cmiller@surfsouth.com> [000629 02:46]:
>
> >> It'd be a shame to get plenty of signatures on a single-UID key
> >> and have your ISP go tits-up.
>
> Thomas> There's a better solution: Why you don't get a mail
> Thomas> address which you can use your whole life? There are much
> Thomas> services where you can get such an address, for example
> Thomas> Hotmail.com or Netforward.com.
>
> With a hotmail address it would be very difficult to use your key with
> your messages.

Why?

Cheers, Thomas
--
.-. Thomas Bader · thomasb@trash.net.remove · http://www.t-bader.ch/ .-.
oo| oo|
/`'\ Einen Unix-Shellaccount gibt es unter http://www.trash.net/ /`'\
(\_;/) PGP Key-ID: 0x3A4B7F5D (RSA) 0x7584F5D8 (DSA/EG) (\_;/)

I guess I was referring more to using a pgp-mime message. The standard
pgp block messages can be copied and pasted. Trying to check a signature
that was attached to the message could be difficult as well. Another
reason I would have preferred that people would sign a text file and
then attach the text file and signature rather than signing the text
with some of the headers.

-walter

* Walter Truitt <wtruitt@ssd.usa.alcatel.com> [000629 19:28]:
> I guess I was referring more to using a pgp-mime message. The standard
> pgp block messages can be copied and pasted. Trying to check a signature
> that was attached to the message could be difficult as well. Another
> reason I would have preferred that people would sign a text file and
> then attach the text file and signature rather than signing the text
> with some of the headers.

Imagine, you can forward all mails to your Hotmail account
to an other account. So, why you don't forward your Hotmail
account to your ISPs account?
Then you could use every mailer you prefer.

Cheers, Thomas
--
.-. Thomas Bader · thomasb@trash.net.remove · http://www.t-bader.ch/ .-.
oo| oo|
/`'\ Einen Unix-Shellaccount gibt es unter http://www.trash.net/ /`'\
(\_;/) PGP Key-ID: 0x3A4B7F5D (RSA) 0x7584F5D8 (DSA/EG) (\_;/)

"L. Sassaman" <rabbi@quickie.net> writes:

> As I have often stated, PGP/MIME is ugly.

Such claims are often the result of a US-centered view of the
world. ;-)

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2 Jul 2000, Florian Weimer wrote:

> "L. Sassaman" <rabbi@quickie.net> writes:
>
> > As I have often stated, PGP/MIME is ugly.
>
> Such claims are often the result of a US-centered view of the
> world. ;-)

I know this is a joke, but what?
I don't see anything particularly i18n-friendly about
PGP/MIME vs. the regular-old PGP BEGIN/END format.
Generally, it has always seemed like less of a hassle
to deal with inline data than with MIME parts.

- --
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue <mailto:billy@dadadada.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75

iD8DBQE5X1ir+2VvpwIZdF0RAknmAJ9Vdt2CuGkXw86SN19VkBlyVtOLBACePdmt
gqDYWzl/6m8z/ERUHf9JKyM=
=C2UH
-----END PGP SIGNATURE-----

* Billy Donahue <billy@dadadada.net> [000702 16:58]:
> I don't see anything particularly i18n-friendly about
> PGP/MIME vs. the regular-old PGP BEGIN/END format.

Have you ever sent a message containing those umlauts (öäü)?
If you send such a message in the regular-old PGP BEGIN/END
format, then the umlauts get screwed up. If you use
PGP/MIME this didn't happen.

Cheers, Thomas
--
.-. Thomas Bader · thomasb@trash.net.remove · http://www.t-bader.ch/ .-.
oo| oo|
/`'\ Einen Unix-Shellaccount gibt es unter http://www.trash.net/ /`'\
(\_;/) PGP Key-ID: 0x3A4B7F5D (RSA) 0x7584F5D8 (DSA/EG) (\_;/)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 3 Jul 2000, Thomas Bader wrote:

> * Billy Donahue <billy@dadadada.net> [000702 16:58]:
> > I don't see anything particularly i18n-friendly about
> > PGP/MIME vs. the regular-old PGP BEGIN/END format.
>
> Have you ever sent a message containing those umlauts (öäü)?
> If you send such a message in the regular-old PGP BEGIN/END
> format, then the umlauts get screwed up. If you use
> PGP/MIME this didn't happen.

Ahh.. I can't even see the one you just sent me...
I just get a space.. Maybe it's Gnome-terminal's.. fault..
I never was any good at setting that kind of stuff up right..

- --
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue <mailto:billy@dadadada.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75

iD8DBQE5YKZT+2VvpwIZdF0RAiX+AJsGMgrPRC1LMk6/TkG6zt+hPtPszQCfcaTY
SgzKFwv7KADNghXMO81bJyc=
=7Uy8
-----END PGP SIGNATURE-----

Why is that a US-centered view? I am in the US and agree that it is
ugly, I just don't see exactly why it would be limited to here. I
just don't like the way it works with some of my email programs.

-walter

>>>>> "Florian" == Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> writes:


Florian> "L. Sassaman" <rabbi@quickie.net> writes:

>> As I have often stated, PGP/MIME is ugly.

Florian> Such claims are often the result of a US-centered view of
Florian> the world. ;-)

Florian> -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
Florian> University of Stuttgart http://cert.uni-stuttgart.de/
Florian> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Florian> http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5

Walter Truitt <wtruitt@ssd.usa.alcatel.com> writes:

[Claims that MIME-PGP is ugly and unnecessary]

> Why is that a US-centered view? I am in the US and agree that it is
> ugly, I just don't see exactly why it would be limited to here. I
> just don't like the way it works with some of my email programs.

In some regions of the world (actually, most), people can't write
their native language in plain ASCII characters. The clear-signing
approach doesn't work reliable if there are non-ASCII characters, and
MIME-PGP is a very straightforward solution.

The assumption that all languages can be adequately represented in
ASCII is certainly more common among people living in the US than, for
example, among Frenchmen.

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Bader, at 09:52 +0200 on Mon, 3 Jul 2000, wrote:

> Have you ever sent a message containing those umlauts (öäü)? If you
> send such a message in the regular-old PGP BEGIN/END format, then the
> umlauts get screwed up. If you use PGP/MIME this didn't happen.

Seems to work fine when using PGP BEGIN/END in Pine; dunno if Pine is just
hacking it, though.

- --
Frank Tobin http://www.uiuc.edu/~ftobin/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1h (FreeBSD)
Comment: pgpenvelope 2.8.8 - http://pgpenvelope.sourceforge.net/

iEYEARECAAYFAjlg+PMACgkQVv/RCiYMT6PIIgCeMGgpDZXD0unYxfmNHV4MB7CR
X2wAn3/4enTDsY8ELzO6RJmCEhrkE7oH
=eXJh
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3 Jul 2000, Florian Weimer wrote:

> Walter Truitt <wtruitt@ssd.usa.alcatel.com> writes:
>
> [Claims that MIME-PGP is ugly and unnecessary]
>
> > Why is that a US-centered view? I am in the US and agree that it is
> > ugly, I just don't see exactly why it would be limited to here. I
> > just don't like the way it works with some of my email programs.
>
> In some regions of the world (actually, most), people can't write
> their native language in plain ASCII characters. The clear-signing
> approach doesn't work reliable if there are non-ASCII characters, and
> MIME-PGP is a very straightforward solution.

The confusion was that I and others didn't know that non-ASCII characters
were mangled by 'gpg -sab'.

- --
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue <mailto:billy@dadadada.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75

iD8DBQE5YSb2+2VvpwIZdF0RAme6AJ9xS5QewvVkt8X0mMPSB3qBBH7mLACfbjsU
wkovAZikt3tYfjU7U09Mi6U=
=STfB
-----END PGP SIGNATURE-----

* Frank Tobin <ftobin@uiuc.edu> [000703 22:34]:
> Thomas Bader, at 09:52 +0200 on Mon, 3 Jul 2000, wrote:
> > Have you ever sent a message containing those umlauts (öäü)? If you
> > send such a message in the regular-old PGP BEGIN/END format, then the
> > umlauts get screwed up. If you use PGP/MIME this didn't happen.
>
> Seems to work fine when using PGP BEGIN/END in Pine; dunno if Pine is just
> hacking it, though.

No, this does not work. Imagine, if you send such a mail in
Quoted-Printable: There could be some MTAs which convert it
to 8Bit before storing it in the users mailbox. Due to the
converting, the signed content gets invalid.
You can avoid this by signing the content before it gets
encoded to Quoted-Printable.
But this seems only possible by using PGP-MIME. All Mailers
I know do the signing *after* encoding to Quoted-Printable.

Cheers, Thomas
--
.-. Thomas Bader · thomasb@trash.net.remove · http://www.t-bader.ch/ .-.
oo| oo|
/`'\ Einen Unix-Shellaccount gibt es unter http://www.trash.net/ /`'\
(\_;/) PGP Key-ID: 0x3A4B7F5D (RSA) 0x7584F5D8 (DSA/EG) (\_;/)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Bader, at 09:56 +0200 on Tue, 4 Jul 2000, wrote:

> No, this does not work. Imagine, if you send such a mail in
> Quoted-Printable: There could be some MTAs which convert it to 8Bit
> before storing it in the users mailbox. Due to the converting, the
> signed content gets invalid. You can avoid this by signing the content
> before it gets encoded to Quoted-Printable. But this seems only
> possible by using PGP-MIME. All Mailers I know do the signing *after*
> encoding to Quoted-Printable.

Ah, I see. I didn't grasp it since Pine's sending filters enact before
any encoding, so plugin-signing programs such as pgpenvelope sign 8bit,
not quoted-printable.

- --
Frank Tobin http://www.uiuc.edu/~ftobin/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1h (FreeBSD)
Comment: pgpenvelope 2.8.8 - http://pgpenvelope.sourceforge.net/

iEYEARECAAYFAjlhrnYACgkQVv/RCiYMT6O4LgCfWRjbrCEJedMYqfDkm0cQREmT
0KcAnRlZjcTXQoNecbzBHuNYJI2CK6rD
=7TLF
-----END PGP SIGNATURE-----