From: Rick Busdiecker <rfb@lehman.com>
Date: Thu, 1 Dec 94 12:38:46 PST
To: "Timothy C. May" <tcmay@netcom.com>
Subject: Re: signing messages
In-Reply-To: <199411300623.WAA03988@netcom11.netcom.com>
Message-ID: <9412012036.AA15164@cfdevx1.lehman.com>
MIME-Version: 1.0
Content-Type: text/plain


    From: "Timothy C. May" <tcmay@netcom.com>
    Date: Tue, 29 Nov 1994 22:23:09 -0800 (PST)

    1. Only one person has reported to me that they were unable to verify
    my PGP sig (Lance Cottrell reported this...if others did, maybe their
    messages haven't gotten through to me)). From this I conclude that few
    people check PGP sigs.

A safer conclusion would be that few people report signature failures,
although I suspect that your conclusion is also correct.

I noticed that your message's signature failed, but chose not to
report it.  As I recall, it failed because I didn't have the
appropriate key, although I do have your 0x54E7483F key and the key
that it appeared to be signed with wasn't available from the MIT key
server.

I also noticed Bill Stewart's signature failure on Message-Id:
<9411300425.AA21554@anchor.ho.att.com> -- ASCII armor stripping
failed.

In both cases, I assumed that the sender was trying to spoof the act
of signing and I further assumed that you were more careful to match
the form of a signed message than Bill was.  The fact that you've been
doing some spoofing lately only strengthened by sense that this was
another gag.

Often, but not always, when I see a Bad Signature message I let the
sender know about it.

			Rick