1995-09-27 - Re: Timothy C. May: Mini-mailbombs and Warning Letters

Header Data

From: Travis Corcoran <tjic@OpenMarket.com>
To: tcmay@got.net
Message Hash: 1ade12c2e8e78e0b6a74932fee016c081197602a097112aa152e3e5df88af6ba
Message ID: <199509271833.OAA13270@cranmore.openmarket.com>
Reply To: <ac8ed65501021004cc69@[205.199.118.202]>
UTC Datetime: 1995-09-27 18:33:47 UTC
Raw Date: Wed, 27 Sep 95 11:33:47 PDT

Raw message

From: Travis Corcoran <tjic@OpenMarket.com>
Date: Wed, 27 Sep 95 11:33:47 PDT
To: tcmay@got.net
Subject: Re: Timothy C. May: Mini-mailbombs and Warning Letters
In-Reply-To: <ac8ed65501021004cc69@[205.199.118.202]>
Message-ID: <199509271833.OAA13270@cranmore.openmarket.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Message-Signature-Date: Wed Sep 27 14:33:28 1995

>  Date: Wed, 27 Sep 1995 10:39:21 -0700
>  From: tcmay@got.net (Timothy C. May)
>  
>  At 4:28 PM 9/27/95, Travis Corcoran wrote:
>  
>  >As the author of the package in question, I would like to point out:
>  >
>  >(1) the email msg Tim refers to (hereafter refered to by me as "query-mail")
>  >                was a request for information, not a warning
>  

>  I don't sign my messages, never have, so I see no way this "agent" Travis
>  ran could find such a signed message from me.

OK, then this sidetracks the discussion, as it seems we've got a bug
in either software behavior (despite a fair amount of testing) or user
behavior.

If it's the former, I apologize for any hassle my software caused.
I'll investigate this and issue a fix if it is a software problem.
However, I remind you that the query-mail said in it

- ------------------------------ snip! ------------------------------

	If there is a bug w this sftwr (for example, you never PGP sign your
	msgs, so this entire msg makes no sense) [ ... ] please mail the
	author of this package ( tjic@openmarket.com )

- ------------------------------ snip! ------------------------------

For future reference, if anyone finds a bug in any of my software
(free or otherwise), it is much more likely to get fixed by mailing me
directly than by posting a manifesto about the class of software as a
whole to a mailing list or newsgroup.

>  >A question: in a situation like this one, where an individual
>  >signed a message with a key then did not make a key with the
>  >return address of his message available [ ... ] what next step -if
>  >any- do people think is more appropriate than sending mail to the
>  >individual asking them for a copy of the key ?
>
>  Ignore it. Why hassle people who have no plan or finger
>  configurations?

Well, during the year or so I've been using my package I've tried to
verify thousands of posts.  In hundreds of these times, I've not had
the key on hand and had to use finger or the keysevers.  In dozens of
these times, finger and the keyserver failed, I sent mail to the
original poster, and got a response back along the lines of:

		"Unfortunately finger doesn't work at my site, but my key is on the
		keysever...oh, wait...the address on the key is 6 months out of date!
		Sorry!  Just updated it.  { Try now. | My updated key is below }."  

Thus, history has shown that it is often quite valid to ask people for
their keys when all other avenues have been exhausted.

Further, I imagine that the vast majority of people who sign public
UseNet messages intend for their messages to be verifiable, and thus
find it reasonable to be asked for their keys if their keys are not
easilly available.  If anyone thinks this is an incorrect assumption,
I'd like to hear their thinking.

>  Besides, people who really want to communicate with me with PGP
>  simply ask for it.

Uh...isn't that the purpose that the query mail ("Please mail me your
key.  Thank you.") was serving?

I'm not sure whether you're objecting to someone asked for your key,
or the fact that they did it through a semi-automated process.


I posted an idea for a scheme recently that would convey the datum "I
prefer PGP-encrypted mail" to intelligent cryptography-aware
news/mail-readers.  Perhaps the same scheme should be used to convey
the datum "I do feel the need for my PGP-signed messages to be
verified.  Please do not ask me for my key."  While it would be easy
enough to implement, I'm not sure how many people would choose to
encode this tag into their sig block or headers...


>  If you don't like this, fine. But don't robo-interrogate and send
>  robo-warnings.

I think the phrase "robo-interogate" is pretty strong for sending a
piece of email that has as its central message 

		"Please mail me your key.  Thank you."

The phrase "robo-warnings" is even less appropriate and relevant.


For the record, the full text of the query mail (including all three
uses of the word "please", and all 0 references to "warnings",
"interogations", and "truncheons" ) is:

- ------------------------------ snip! ------------------------------

	To: < mail-signer >
	Subject: please send me your PGP public key


	Hello.  While reading either email or UseNet I came across a PGP
	signed msg from you, but did not have your public key to verify it
	with.  My mail/newsreader fingered your account for your key and
	failed.  It then tried to get your key from the keyserver at

		< keyserver-address >

	but the key was not there.  Please mail me your key.  Thank you.

	 (If you think that the key should be there, be aware that my
	mailreader searched for the key by your email addr as seen by me - the
	same addr *this* piece of mail is being sent to.  If you registered a
	key with the server, that key may not have on it your addr as it is
	seen by the rest of the world.)

	P.S.  This mail was composed by my mailreading sftwr, which
	automatically scans incoming mail, looking for failed keyserver
	requests, and prompts me whether it should automatically send this msg
	on my behalf.  If there is a bug w this sftwr (for example, you never
	PGP sign your msgs, so this entire msg makes no sense), or if you're
	interested in the software itself (mail-secure.el: a package in lisp
	for emacs; this is just one of the many crypto/privacy related things
	it does) please mail the author of this package ( tjic@openmarket.com)
	for details.

- ------------------------------ snip! ------------------------------

If anyone has a constructive suggestion as to how this mail could be
changed to convey more information or to be less "threatening", please
mail me.

- -- 
TJIC (Travis J.I. Corcoran)       http://www.openmarket.com/personal/tjic/

                             Member EFF, GOAL, NRA.
                 opinions (TJIC) != opinions (employer (TJIC))
         "Buy a rifle, encrypt your data, and wait for the Revolution!"
	  PGP encrypted mail preferred.   Ask me about gnuslive.el for emacs.



-----BEGIN PGP SIGNATURE-----
Version: 2.6
Comment: auto-signed by mail-secure.el v 0.998 using mailcrypt.el
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMGmY+YJYfGX+MQb5AQGIvQP+KWoHrZeFYqWdyTe8K4iUrXvL6xtjG9S4
QLIkk2n6Zmzw9lNc915B6teYgFf55EI6H1NIyrT8RQXS6TfinlphNc9kH0YJqWjE
SIpEmfre6HuvHfYcWHLGb8hgX0Smwfvoq/nVqy3DT1H7s0Sbm4Ko532BOUKKzVxY
r2VLj5XmzEg=
=ptpV
-----END PGP SIGNATURE-----





Thread