1996-07-05 - Re: Lack of PGP signatures

Header Data

From: “Mark M.” <markm@voicenet.com>
To: Clay Olbon II <Clay.Olbon@dynetics.com>
Message Hash: a6e49d1a68a413da6ea7ce1873addf91fb31d82102990088e3edbe46be753ace
Message ID: <Pine.LNX.3.94.960705142635.1291A-100000@gak>
Reply To: <AE02CA43-160FAC@193.239.225.200>
UTC Datetime: 1996-07-05 22:25:58 UTC
Raw Date: Sat, 6 Jul 1996 06:25:58 +0800

Raw message

From: "Mark M." <markm@voicenet.com>
Date: Sat, 6 Jul 1996 06:25:58 +0800
To: Clay Olbon II <Clay.Olbon@dynetics.com>
Subject: Re: Lack of PGP signatures
In-Reply-To: <AE02CA43-160FAC@193.239.225.200>
Message-ID: <Pine.LNX.3.94.960705142635.1291A-100000@gak>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On 5 Jul 1996, Clay Olbon II wrote:

> Mark M. <markm@voicenet.com> wrote:
> 
> >I didn't say that binaries couldn't be signed.  I said they couldn't be
> >*clear*-signed.  There is a difference between clearsigning and creating a
> >signature certificate that is either concatenated with the data or written
> >to a separate file.  If somebody who doesn't have PGP gets a file that is
> >signed by PGP, the file is completely useless to that person.
> >
> 
> My mistake.  I guess I still don't understand your point however.  Of what
> use is a signature on a file to someone who cannot check its validity?   It
> seems to me that a separate signature file for a binary would serve the
> same purpose ("gee, it LOOKS like somebody signed it").

A signature is of absolutely no use to someone who doesn't have PGP.  However,
somebody who doesn't have PGP can still read this message I am writting right
now.  That is why clear-signing is a Good Thing.  You are correct that a
separate signature file for a binary is just about the same as a clear-signed
message.(In fact they are the same thing.  The only difference is that a
signature of text that is going to be clear-signed is calculated over the text
with CRLF's and dashes and "From_"'s escaped out.  The "PGP SIGNATURE" part is
exactly the same as a seperate signature's "PGP MESSAGE".)

OK, now the point of this message: somebody pointed out that if a binary was
clear-signed using an option that would strip it down to 7 bits, the binary
would be corrupted and therefore, such an option on PGP would be a Bad Thing.
Then, I pointed out that not only would there be no point in a clear signature,
since that would make the binary useless to someone without PGP anyway.  It
is best to sign a binary and extract the certificate to a separate file, which
you noted above.  So an option that would strip data down to 7 bits would not
affect the ability to sign a binary.  Such an option would probably be a Good
Thing.

All this is giving me a severe headache.  Please excuse any run-on sentences.

- -- Mark

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
markm@voicenet.com              | finger -l for PGP key 0xe3bf2169
http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348
"Freedom is the freedom to say that two plus two make four.  If that
is granted, all else follows."  --George Orwell, _1984_


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMd1hMLZc+sv5siulAQHChQP/faS+DKcGht/SxCB+N0UlunSGcAcgUGaw
hX/3qB4pzqwBfCoT6GsMdiQ+wJsSBs7cYm3NMEcPQHNj08cc8Vt5G7lmegjKdhcM
hZBbpscafAnXf/+OcXp8KUIUbGWxEviyKfSskKoQC2IU9m607TRxMG45QHQr59Fc
MEweGyt4Jsk=
=TvfP
-----END PGP SIGNATURE-----





Thread