Re: OpenPGP-signed messages on Usenet: current best practice
- From: Bob Henson <news@xxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 14:19:54 +0000
Tristan Miller wrote:
Greetings.
Is there any consensus on the posting of OpenPGP-signed articles to
non-binary newsgroups? Are they welcome or hated? Are they considered
binary attachments? About what proportion of Usenet readers are using a
newsreader that recognizes and correctly processes (i.e., verify the
signature if PGP/GnuPG software is installed, otherwise ignore but
indicate that a signature is present) PGP-signed articles?
Like Tom, I use signatures in PGP or other security oriented newsgroups
only. There will generally be a few complaints if used in other
newsgroups where the importance of signing is not necessarily recognised
and the readers think of it as unnecessary "clutter". If the
authenticity of my postings were challenged, of course, I would sign
every time.
I know, for example, that Microsoft Outlook Express's handling of
OpenPGP-signed mail is terrible -- it presents a blank message with both
the text and digital signature parts as attachments, and doesn't identify
the signature as a signature, so Outlook Express users often write me back
saying, "I couldn't open your second attachment!". Does Outlook Express
(or other popular newsreaders) do the same thing for signed newsgroup
articles?
The issue of using PGP/MIME is a different one. There are very few mail
clients capable of handling PGP/MIME as such, so it can tend to irritate
anyone not using such a client. OE is the worst, of course, because, as
you say, it doesn't display the text of the message at all - however, I
figure anyone using OE doesn't know or care much about security anyway -
or they wouldn't use it. The problem with using in-line signing is that
it can too easily be damaged by mail clients which mangle the e-mail
(Thunderbird - one of best e-mail clients, unfortunately does so) and
that prevents the signature from verifying. This is so common that
in-line signing should really be used only if all else fails.
A couple of things make PGP/MIME less of a problem than previously.
Firstly, PGP itself solves the problem with the advent of v 9.x, this
should handle it OK. The second is that many people interested in
security have switched away from PGP anyway to use GnuPG - which will
handle PGP/MIME correctly. In combination with Thunderbird/Enigmail or
other front ends for GnuPG this means that PGP/MIME is really not a
problem, and since it is by far the best and most secure method, should
be used as first choice.
Regards,
Bob
--
Remove "x" from address to reply by email
Attachment:
signature.asc
Description: OpenPGP digital signature
- Prev by Date: Re: Percent usage statistics of RSA vs. DH/DSS PGP keys existing?
- Next by Date: Re: Outlook Express and OpenPGP/MIME
- Previous by thread: Re: tesy
- Next by thread: Re: Outlook Express and OpenPGP/MIME
- Index(es):
Relevant Pages
|
