Tags Tags

Things we should know about PGP

May 09th, 2012 - 07:40 am ET by Ralf Mardorf | Report spam
Help Create a new topic
If this discussion can't be stopped, than perhaps we can make it a
useful thread, by not talking about how to behave or not to behave on a
mailing list, by not talking about if we won't signed emails or not.

When the subject was "gpg/pgp noise" Jon Dowland wrote: "I clearly
explained that his key was signed by another he owned, which in turn was
signed by *someone else entirely*."

A chain of unsigned keys for one and the same person, with one key at
the end of this chain, that is signed by one person only or even enough
persons signing it, is useless. This isn't the correct way to sign a
key, since it's not secure and not handy.

You will handle the key directly by a web of trust, not by a chain of
own keys and not only signed by one person. You can do this by visiting
parties, where this is done.

OTOH, when do you really need signing? More likely is that you will
encrypt mails, e.g. to ensure that if you write to a family with young
children, using the same computer, only the parents can read mails with
contents that aren't good for children. In such a case it's not needed
to ensure that the key is trusted. It's only important that the parents
know how to decrypt and the children don't know it. This anyway prevents
against manipulating the mails content, without signing.

If you really need security, than you need to take care about many
things using PGP. I only use openPGP from time to time, to ensure that
just a special person can read this mail, but not to be completely
secure. I don't need knowledge about how to handle PGP correct and I
don't have got this knowledge.

Seemingly some people have completely wrong perceptions about e.g.
signing a key.

Instead of having something similar to a flame-war, some useful
information belongs to this list.

- Ralf


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1336563132.7752.25.camel@precise
email Follow the discussionReplies 15 repliesReplies Make a reply

Similar topics

Replies

#1 Camale
May 09th, 2012 - 01:30 pm ET | Report spam
On Wed, 09 May 2012 13:32:12 +0200, Ralf Mardorf wrote:

If this discussion can't be stopped, than perhaps we can make it a
useful thread, by not talking about how to behave or not to behave on a
mailing list, by not talking about if we won't signed emails or not.



(...)

If you really need security, than you need to take care about many
things using PGP. I only use openPGP from time to time, to ensure that
just a special person can read this mail, but not to be completely
secure. I don't need knowledge about how to handle PGP correct and I
don't have got this knowledge.



But security has nothing to do with a signed message.

You use GPG/PGP signatures when you want other people can verify that you
are the author of that message. And you encrypt your message when you
want to prevent others can access its content, no more and no less.

Seemingly some people have completely wrong perceptions about e.g.
signing a key.



Exactly. For instance, those who think that PGP signed messages will
improve security when reading/posting e-mails >;-)

Instead of having something similar to a flame-war, some useful
information belongs to this list.



I only see one big flaw in GPG/PGP signatures current methodology: their
"keyring" system of trust relies on people and people -by definition- is
nothing but unreliable. That's why I don't sign my own messages and I
don't care about others signatures. To my understanding is a waste of
time and resources with little-to-nothing gain.

Greetings,

Camaleón


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/joe9cc$bci$
Replies Reply to this message
#2 Ralf Mardorf
May 09th, 2012 - 01:50 pm ET | Report spam
On Wed, 2012-05-09 at 17:26 +0000, Camaleón wrote:
Exactly. For instance, those who think that PGP signed messages will
improve security when reading/posting e-mails >;-)



AFAIK a signed message can't become dirty. So it's secure that nobody
add a word, removed a word or completely edited the message. This might
be a kind of security some people wish to have.

- Ralf


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#3 Mika Suomalainen
May 09th, 2012 - 02:20 pm ET | Report spam
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)

09.05.2012 21:09, Jon Dowland kirjoitti:
I didn't check beyond the other person: if they have sigs on their key,
then it's feasible Mika is joined to a/the web of trust. Rather than
try to manually construct such a path, I fed Mikka's key into pathfinder
web sites, but his key is not widespread enough, and the ones I tried
didn't know about him. I did not rule him out of the web of trust, nor
prove him in.



Please feel free to put my key on those path finder services (gpg

I'm sorry, but you won't probably find any relation to my key, because
of
https://github.com/Mkaysi/mkaysi.gi...-trust-web
.

I will now continue this policy,
https://github.com/Mkaysi/mkaysi.gi...-this-page
.

PS. My name is written with one "k" letter, Mika, not "Mikka".

PS of PS. If anyone happens to visit near this city and want to meet me
to sign my key, that might be possible too, but I don't see any reason
why anyone would be interested about this city.

[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/c.../HTML.html) ||
[Please don't
toppost](http://mkaysi.github.com/articles/c...sting.html) ||
[This signature](https://gist.github.com/2643070) ||






To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#4 Jon Dowland
May 09th, 2012 - 02:20 pm ET | Report spam
On Wed, May 09, 2012 at 01:32:12PM +0200, Ralf Mardorf wrote:
When the subject was "gpg/pgp noise" Jon Dowland wrote: "I clearly
explained that his key was signed by another he owned, which in turn was
signed by *someone else entirely*."

A chain of unsigned keys for one and the same person, with one key at
the end of this chain, that is signed by one person only or even enough
persons signing it, is useless. This isn't the correct way to sign a
key, since it's not secure and not handy.



I didn't check beyond the other person: if they have sigs on their key,
then it's feasible Mika is joined to a/the web of trust. Rather than
try to manually construct such a path, I fed Mikka's key into pathfinder
web sites, but his key is not widespread enough, and the ones I tried
didn't know about him. I did not rule him out of the web of trust, nor
prove him in.

OTOH, when do you really need signing? More likely is that you will
encrypt mails, e.g. to ensure that if you write to a family with young
children, using the same computer, only the parents can read mails with
contents that aren't good for children. In such a case it's not needed
to ensure that the key is trusted. It's only important that the parents
know how to decrypt and the children don't know it. This anyway prevents
against manipulating the mails content, without signing.



IME I've signed many mails and verified many signed mails and very rarely
encrypted messages. In fact the only times I have encrypted or decrypted
mail was when sending signatures of someone's key to themselves.
I suppose different people have different use-cases.

Jon Dowland


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#5 Ralf Mardorf
May 09th, 2012 - 03:00 pm ET | Report spam
"The signature is evidence that message comes from me. If I sign all my
messages, I can say that I sign all my messages and possibly unsigned
offensive content, which is spoofed to "come" from my address, isn't
sent by me."

You also could lie and anyway send unsigned mails.

And why is it needed? If you call a friend do you have some code words,
questions to ensure that you don't speak with a voice imitator. And do
you record the phone calls and rewind to prove what your friend or you
said in case of a disagreement?

This is a loss of civilization!

We don't need this.

An employer might google my name and find posts of a doppelgànger of
mine. Less likely, I only found my own posts, but I also found somebody
with the same name, living in another German city, IIRC I found just the
snake mail address of the doppelgànger, no posts.

FWIW you mails are ok here.

This is only visible if I explicitly view the source:




This is what I see as the email:

09.05.2012 21:09, Jon Dowland kirjoitti:
I didn't check beyond the other person: if they have sigs on


their key,
then it's feasible Mika is joined to a/the web of trust.


Rather than
try to manually construct such a path, I fed Mikka's key into


pathfinder
web sites, but his key is not widespread enough, and the ones


I tried
didn't know about him. I did not rule him out of the web of


trust, nor
prove him in.



Please feel free to put my key on those path finder services
(gpg
4DB53CFE82A46728.

I'm sorry, but you won't probably find any relation to my key,
because
of
https://github.com/Mkaysi/mkaysi.gi...-trust-web
.

I will now continue this policy,
https://github.com/Mkaysi/mkaysi.gi...-this-page
.

PS. My name is written with one "k" letter, Mika, not "Mikka".

PS of PS. If anyone happens to visit near this city and want to
meet me
to sign my key, that might be possible too, but I don't see any
reason
why anyone would be interested about this city.

[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/c.../HTML.html)
||
[Please don't
toppost](http://mkaysi.github.com/articles/c...sting.html) ||
[This signature](https://gist.github.com/2643070) ||


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
Help Create a new topicNext page Replies Make a reply
Search Make your own search