1996-06-23 - Re: Bad Signatures

Header Data

From: “Omegaman” <Omegaman@betty.bigeasy.com>
To: cypherpunks@toad.com
Message Hash: 3f09f3af7f047ad73b52fc6b854598fb650d624379b5a147f63cb87c1b204913
Message ID: <199606222228.QAA00570@betty.bigeasy.com>
Reply To: N/A
UTC Datetime: 1996-06-23 02:02:16 UTC
Raw Date: Sun, 23 Jun 1996 10:02:16 +0800

Raw message

From: "Omegaman" <Omegaman@betty.bigeasy.com>
Date: Sun, 23 Jun 1996 10:02:16 +0800
To: cypherpunks@toad.com
Subject: Re: Bad Signatures
Message-ID: <199606222228.QAA00570@betty.bigeasy.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

> From:          geoff@commtouch.co.il

> 
> IMHO Getting message authentication to work correctly should be a 
> cypherpunk objective.

how does posting notifications to the list satisfy that objective?
read on....

> Putting something like "Bad Signature Notification" in the subject will 
> make it quite easy for not-interested readers to killfile.

True.  But my opinion is that this list isn't the appropriate place 
for it.  Opinions were asked for, that is mine.  A separate list 
maybe...

> BTW this is the first time I have sighted the word "veracity" being 
> used in relation to signatures. Is the term used elsewhere? Could it be 
> used to separate the integrity property of a signature from its 
> authenticity property?

Oh lord. I don't want to get into semantic hair-splitting.  It's the 
word I chose at the time.  It may be the wrong one.  Don't read too 
much into it.


To put the issue simply.

Bob doesn't like Jane for whatever reason.  Jane signs all her 
messages with PGP.  Bob posts false" bad signature notifications" to 
the list to discredit Jane.  Am I to just read Bob's messages and 
believe the notifications he's posted.?  No.  I still have to examine 
Jane's messages myself for signature authenticity.

I understand that this is one person who wants to perform this 
service objectively.  But why should I trust his motivations?  I 
still have to do my own individual signature checking to be sure.

For this reason, I think the idea accomplishes little.   The 
intentions are good, but I don't see a major benefit.  Maybe someone 
else has another idea or angle....

me

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMcwm5ab3EfJTqNC9AQGl3gP9HD4mhPY6dg69ZaWTeUYEsm+45rDFkgWW
mNDbfeudTAgfl6Jdnm+xs0g+yfZcQQUe5g/qBpp0Nk0SRyzzL+mq+U+CJr9GA6Pr
Mm3a3JY65mwYqTis1dO4FzHDvmhlN5GaBlQT0HOGPywQZGkMf3IXCGZIDZG7z4lH
V6/4Y94A7ho=
=paU2
-----END PGP SIGNATURE-----
-----------------------------------------------------------------------------------------------
Omegaman <omega@bigeasy.com>
PGP Key fingerprint =  6D 31 C3 00 77 8C D1 C2  
                                  59 0A 01 E3 AF 81 94 63 
Send E-mail with the "get key" in the "Subject:" field
to get my public key
---------------------------------------------------------------------------------------------------------------------





Thread