Digital Signatures

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Group:

Bob Heiling and another individual have criticized my use of digital
signatures in my postings to this and other genealogy newsgroups. This
posting will serve as a sample of what is being criticized.

While I realize that there's a large number of folks out there who
neither know nor care about digital signatures and the -- to me -- very
real security benefits they provide, their use in emails and/or
newsgroups should, I think, be encouraged. A properly created,
registered and used signature lets people at the other end of the
communications stream have some reasonable assurance that the
sender/poster is who he claims to be: many current software packages
automatically query the "key" server when receiving a digitally signed
item. This isn't an iron-clad guarantee that the Bob Melson signing
the post is the swell ol' Bob known and beloved by all his co-workers,
but it's a pretty good clue -- say 75-80% surety, and maybe more. To
my mind, this is a security and surety issue, and nothing more.

Bob H's argument, on the other side, is (1) that he sees no need now or
in the forceable (sp?) future and (2) because it adds a number of lines
to the original posting, it's stealing bandwidth. As well, because the
digital signature is a computed hexadecimal number, it appears as
unreadable gibberish. The further argument is made is that the use of
digital signatures is pointless because most people are unaware of the
security status of their computers and storage systems.

OK. That's the argument as _I_ understand it at this point; perhaps Bob
H. will add his views in a followup posting.

What I'd like to ask of y'all is this: send an email to me at the
munged address in the signature below, subject Digital Signatures, with
a "yes" (meaning you agree with their use), a "no" (you don't like'em)
or "who cares", with the obvious meaning. If you feel strongly about
your position, please include temperate (no, Yoshi, _not_ tempura!)
comments of whatever length. I have a thick hide, but I do draw the
line at vulgarity for vulgarity's sake, ad hominem attacks and plain'ol
mean-spiritedness.

To keep things reasonable, let's let his run for 2 weeks starting with
this post (according to my Ingersoll, that'd be Thursday, Sep 2. I'll
summarize and sanitize and report back to the group, if there's any
interest. If the traffic is minimal, only a handful of responses over
the period, I'll still share the info but will let the comments speak
for themselves.

<plock! sound of tennis ball hitting a clay court>

Your comments, Bob?

Regards to all,
Bob Melson


- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBJXQQGX60pjRVDrMRApdyAJ0T5OW5xwx29be7mvNJNbr4R1S4FgCghpHv
LxiJJveE1lc4ud67PcPfIZw=
=uopz
-----END PGP SIGNATURE-----

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 19 August 2004 21:46, Robert Melson wrote:

<snip>

to the original posting, it's stealing bandwidth. As well, because
the digital signature is a computed hexadecimal number, it appears as
unreadable gibberish.
Well, that certainly exposed my feet of clay. Ain't hex, after all, but

random characters from the whole character set. Still isn't readable,
but ....


<snip>

Bob M

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBJXT1GX60pjRVDrMRAkrZAKDlxA6UFIyqZxpXNHZFcy4xLnQviQCeNONx
igM8K83cO2iX4Enqox6LkIY=
=I3gD
-----END PGP SIGNATURE-----

[Doug]

Robert Melson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 19 August 2004 21:46, Robert Melson wrote:

snip

to the original posting, it's stealing bandwidth. As well, because
the digital signature is a computed hexadecimal number, it appears as
unreadable gibberish.

Well, that certainly exposed my feet of clay. Ain't hex, after all, but
random characters from the whole character set. Still isn't readable,
but ....


snip

Bob M

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBJXT1GX60pjRVDrMRAkrZAKDlxA6UFIyqZxpXNHZFcy4xLnQviQCeNONx
igM8K83cO2iX4Enqox6LkIY=
=I3gD
-----END PGP SIGNATURE-----

Actually, I think it's an excellent idea, but presently have no idea how
a group of gibberish characters at the bottom of a message makes it
secure. I'm probably showing my ignorance of the subject (he says just
before he notices the message in the above signature block), but I
should think the recipient would need to have a "public key" of some
sort that would be accessed when such a message comes in and flag it
some how as legit or bogus.

Doug

[Dennis Lee Bieber]

On Fri, 20 Aug 2004 05:12:48 GMT, Doug <[email protected]>
declaimed the following in soc.genealogy.computing:

Actually, I think it's an excellent idea, but presently have no idea how
a group of gibberish characters at the bottom of a message makes it
secure. I'm probably showing my ignorance of the subject (he says just
before he notices the message in the above signature block), but I
should think the recipient would need to have a "public key" of some
sort that would be accessed when such a message comes in and flag it
some how as legit or bogus.

Typically, the public key is posted to servers, so a recipient

could attempt to retrieve the public key.

"Signed" message basically reverse the normal encryption setup.
Rather than using a public key to encrypt, so only the recipient with
the private key can decrypt, signing encrypts a "checksum" of the
message body using the private key, so any reader can decrypt the
checksum and compare it to the message body. This detects if the body
has been modified.

--

==============================================================
[email protected] | Wulfraed Dennis Lee Bieber KD6MOG
[email protected] | Bestiaria Support Staff
==============================================================
Home Page: <http://www.dm.net/~wulfraed/
Overflow Page: <http://wlfraed.home.netcom.com/

[Mardon]

"Robert Melson" <[email protected]> wrote...

<*snip*>

Bob Heiling and another individual have criticized my use of digital
signatures in my postings to this and other genealogy newsgroups.
This posting will serve as a sample of what is being criticized.
*snip*
Your comments, Bob?

Hi Bob,

Ever since I got my original "Captain Video secret decoder ring", I've been
interested in codes and ciphers (honest), so I've decided to respond to your
request for comments regarding digital signatures.

I used to use PGP on a regular basis but after 9/11 my enthusiasm for it
waned. I have version 8 installed but I now have mixed feelings about using
it. I think it's a great technology but that's part of the problem. A
great technology in the wrong hands can be a great problem.

I looked up your public key and found the following:
Name: Robert Melson (UNIX Geek) <unmunged email address>
ID: 0x34550EB3
Type: DH/DSS
Size: 1024/1024
Created: 2003-05-12
Expires: Never
Cipher: AES-256
Photograph: None
Trusted Authority Signatures: None
Hex Fingerprint: 675C 1CAA 2068 E5EC 8F32 3EB3 197E B4A6 3455 0EB3

I have a couple of questions based on the foregoing. Why are you using a
key size of 1024/1024? My keys are 2048/1024 and that seems to be more
common these days. I know my first keys were 1024/1024 but that smaller
size seems outdated. Second, is there a reason that you have chosen not to
attach a photo ID to your public key or is that just something that you
haven't gotten around to doing? I'm inclined to think that if anyone is
going to sign publicly distributed messages, then a photograph ought to be
attached to their public key. It's just another layer of identification.
Finally, I notice that there are no verifying signatures attached to your
key. Have you considered getting it signed by such an authority? Unless a
public key is certified by a trusted authority, the sad reality is that the
key doesn't mean much. As you'll notice, this message isn't signed. That's
in tune with my reduced use of PGP since 9/11.

[singhals]

Edward A. Feustel wrote:

The receiver checks the validity of the certificate. In my case, my
certificate is a Thawte free-mail

I'm trying to imagine a genealogical message sufficiently important to
*need* that level of security regarding who sent it.

I can see where it has applications in the business world, certainly in
criminal justice, or medicine -- but always in private e-mail, because
one would not post publically biopsy results or post-mortem findings
which may cause life-or-death decisions; one would not publically post
one's business choices as in should our company buy your company for $X
megamillions or his for $X+5 megamillions; one would not publically post
a last-minute stay of execution ...

But, "Did you check PollyBloop.com's new modem" or "Where do I find
Wyoming death certificates" certainly doesn't rise to those levels.

Besides, one of my computers routinely locks itself down, believing in
its paranoia that the PGP is a virus trying to do it harm. (g)

Cheryl

[Dave Hinz]

On Fri, 20 Aug 2004 03:46:51 GMT, Robert Melson <[email protected]> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Group:

Bob Heiling and another individual have criticized my use of digital
signatures in my postings to this and other genealogy newsgroups.

I must have missed those posts, or you can bet I would have commented.
So, it's all about this:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBJXQQGX60pjRVDrMRApdyAJ0T5OW5xwx29be7mvNJNbr4R1S4FgCghpHv
LxiJJveE1lc4ud67PcPfIZw=
=uopz
-----END PGP SIGNATURE-----

....then?

I dunno. There have been problems in these specific groups before with
people who are vocal having messages forged in their identity, usually
after the vocal person pisses off a troll. While having a pgp signature
of a post to compare it against, I can't think of a single posting forgery
where even the slightest skill was shown in header manipulation, so it was
trivial to detect (and filter).

I suppose one scenario where I'd actually check the PGP signature would
be if a very out-of-character post came through from someone who used
them, and the headers looked normal for that sender, but in all reality,
if it was that suspect it'd probably be disregarded as a forgery anyway, so
what's the point in checking the signature.

So, I think I'm in the "I don't see a problem, but I can't see it ever
being put to any use" category which wasn't one of your presented choices.
There's a bunch more cruft hidden away up in the headers which takes more
bytes/time, so it seems like a big deal over not much, but a not much which
isn't particularly useful in a real-world Usenet post situation.

Dave Hinz

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 20 August 2004 07:04, Mardon wrote:

"Robert Melson" <[email protected]> wrote...
snip

Ever since I got my original "Captain Video secret decoder ring", I've
been interested in codes and ciphers (honest), so I've decided to
respond to your request for comments regarding digital signatures.

With me, it was Helen Fouche Gaines' "Advanced Cryptography" from Dover
Press.

I used to use PGP on a regular basis but after 9/11 my enthusiasm for
it
waned. I have version 8 installed but I now have mixed feelings about
using
it. I think it's a great technology but that's part of the problem.
A great technology in the wrong hands can be a great problem.

I'm certainly not suggesting that we all rush out and encrypt everything

on our systems -- that's taking paranoia a bit far, I think. The idea
of having a trusted signature is something else again, however.

I looked up your public key and found the following:
Name: Robert Melson (UNIX Geek) <unmunged email address
ID: 0x34550EB3
Type: DH/DSS
Size: 1024/1024
Created: 2003-05-12
Expires: Never
Cipher: AES-256
Photograph: None
Trusted Authority Signatures: None
And here you expose the fragility of the system. Unless one has a "web

of trust", with folks willing/able to sign a signature as being from
you or me or whomever, the whole system falls apart.

Hex Fingerprint: 675C 1CAA 2068 E5EC 8F32 3EB3 197E B4A6 3455 0EB3

I have a couple of questions based on the foregoing. Why are you
using a
key size of 1024/1024? My keys are 2048/1024 and that seems to be
more
For a signing key, 1024 bits is adequate and a reasonable compromise.

common these days. I know my first keys were 1024/1024 but that
smaller
size seems outdated. Second, is there a reason that you have chosen
not to attach a photo ID to your public key or is that just something
that you
haven't gotten around to doing?

Frankly, I don't have any pictures of myself that I'd want to put on the
'net -- they'd either sour milk at 10 paces or cause the remote user's
display to go into terminal (oops!) melt-down.

<snip>

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBJg9TGX60pjRVDrMRAj7EAJ44fzSPTkXfklOftn1BmDggM0oc5QCfZiQ4
Z9NQvtLkMpbl5pAB/hWMLAU=
=ZNQn
-----END PGP SIGNATURE-----

[Steve Hayes]

On Fri, 20 Aug 2004 03:46:51 GMT, Robert Melson <[email protected]>
wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Group:

Bob Heiling and another individual have criticized my use of digital
signatures in my postings to this and other genealogy newsgroups. This
posting will serve as a sample of what is being criticized.

While I realize that there's a large number of folks out there who
neither know nor care about digital signatures and the -- to me -- very
real security benefits they provide, their use in emails and/or
newsgroups should, I think, be encouraged. A properly created,
registered and used signature lets people at the other end of the
communications stream have some reasonable assurance that the
sender/poster is who he claims to be: many current software packages
automatically query the "key" server when receiving a digitally signed
item. This isn't an iron-clad guarantee that the Bob Melson signing
the post is the swell ol' Bob known and beloved by all his co-workers,
but it's a pretty good clue -- say 75-80% surety, and maybe more. To
my mind, this is a security and surety issue, and nothing more.

I can unserstand the usefulnes of this in a private e-mail message authorising
someone to draw money from my bank account or something like that -- but in a
public newsgroup?

Which programs check, and anyway, who cares?

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBJXQQGX60pjRVDrMRApdyAJ0T5OW5xwx29be7mvNJNbr4R1S4FgCghpHv
LxiJJveE1lc4ud67PcPfIZw=
=uopz
-----END PGP SIGNATURE-----

I'm not sure what my newsreader is supposed to do that, but where are you
posting the key?


--
Steve Hayes from Tshwane, South Africa
http://www.geocities.com/Athens/7734/stevesig.htm
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 20 August 2004 11:47, Steve Hayes wrote:

<snip>

I can unserstand the usefulnes of this in a private e-mail message
authorising someone to draw money from my bank account or something
like that -- but in a public newsgroup?

Which programs check, and anyway, who cares?

Well, if you were running Mozilla with Enigmail as your browser and
newsreader, it'd do that for you pretty much automatically. I'm no
Micro$oft fan, so I can't really say what's available for OE or
internet exploder; I've heard, tho', that plugins are available for
them that'll provide the same capability.

If you don't care, you don't care and that's perfectly fine. I have
this old-fashioned desire to know who I'm "chatting" with and believe,
apart from the newsgroups, that the folks with whom I chat feel
somewhat the same. Thus an attempt at having a verifiable identity
through digital signing.

<snip>

I'm not sure what my newsreader is supposed to do that, but where are
you posting the key?

You shouldn't have to worry about it, but the URI is:
x-hkp://pgp.mit.edu
(and, no, that's not an error). There are several key servers around
the world that share their information, so what's found on one is
likely to be found on the rest. This just happens to be the one I
registered with.

--
Steve Hayes from Tshwane, South Africa
http://www.geocities.com/Athens/7734/stevesig.htm
E-mail - see web page, or parse: shayes at dunelm full stop org full
stop uk

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBJkO8GX60pjRVDrMRApk4AKCzIvOMf8e/sZzofaCU1DrKFwIOqACffG0v
FRNTh7eLM+cnvZ1GLgSUvbg=
=T3GJ
-----END PGP SIGNATURE-----

[Rick Merrill]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Hayes wrote:

On Fri, 20 Aug 2004 03:46:51 GMT, Robert Melson
[email protected]> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Group:

Bob Heiling and another individual have criticized my use of
digital signatures in my postings to this and other genealogy
newsgroups. This posting will serve as a sample of what is being
criticized.

While I realize that there's a large number of folks out there who
neither know nor care about digital signatures and the -- to me --
very real security benefits they provide, their use in emails
and/or
newsgroups should, I think, be encouraged. A properly created,
registered and used signature lets people at the other end of the
communications stream have some reasonable assurance that the
sender/poster is who he claims to be: many current software
packages automatically query the "key" server when receiving a
digitally signed item. This isn't an iron-clad guarantee that the
Bob Melson signing the post is the swell ol' Bob known and beloved
by all his co-workers, but it's a pretty good clue -- say 75-80%
surety, and maybe more. To my mind, this is a security and surety
issue, and nothing more.


I can unserstand the usefulnes of this in a private e-mail message
authorising someone to draw money from my bank account or something
like that -- but in a public newsgroup?

Does it not verify that the signature (from:) is not forged!?

- - RM



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQSZXzyeP6pLfWGOLEQJN2QCfdw7S9Btv7DgWPzWlE2WE23WfE6YAn314
Autz1lB55AkOmWnQiUldM52L
=XwdE
-----END PGP SIGNATURE-----

[Steve Hayes]

On Fri, 20 Aug 2004 19:58:05 GMT, Rick Merrill <[email protected]>
wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Hayes wrote:
On Fri, 20 Aug 2004 03:46:51 GMT, Robert Melson
[email protected]> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Group:

Bob Heiling and another individual have criticized my use of
digital signatures in my postings to this and other genealogy
newsgroups. This posting will serve as a sample of what is being
criticized.

While I realize that there's a large number of folks out there who
neither know nor care about digital signatures and the -- to me --
very real security benefits they provide, their use in emails
and/or
newsgroups should, I think, be encouraged. A properly created,
registered and used signature lets people at the other end of the
communications stream have some reasonable assurance that the
sender/poster is who he claims to be: many current software
packages automatically query the "key" server when receiving a
digitally signed item. This isn't an iron-clad guarantee that the
Bob Melson signing the post is the swell ol' Bob known and beloved
by all his co-workers, but it's a pretty good clue -- say 75-80%
surety, and maybe more. To my mind, this is a security and surety
issue, and nothing more.


I can unserstand the usefulnes of this in a private e-mail message
authorising someone to draw money from my bank account or something
like that -- but in a public newsgroup?

Does it not verify that the signature (from:) is not forged!?

Dunno. I haven't found a setting on my newsreader to do that, and when it's a
public newsgroup, I really don't care very much.

I faind the hash sahi stuff a bit of an unnecessary distraction, bhut if
people really fell impelled to put it in their messages so be it. It's not as
annoying as HTML.




--
Steve Hayes from Tshwane, South Africa
http://www.geocities.com/Athens/7734/stevesig.htm
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 20 August 2004 03:47, Edward A. Feustel wrote:

<snip>

The receiver can then use the public key to send encrypted mail to the
sender.

Note that Thawte freemail certificates are free. One can go through a
verification procedure which permits the user's name to be included in
the certificate. To get a certificate:

http://www.thawte.com/email/index.html

Please feel free to get a certificate and join the Web of Trust.
http://www.thawte.com/wot/index.html

Ed Feustel
Genealogist and Web of Trust Notary

Ed:

The problem here is that I'm talking apples and you're talking bananas.
SSL (Secure Socket Layer) is significantly different from the public
key crypto systems found in, e.g., GnuPG or PGP of whatever version. I
don't think this is the place to indulge in a full scale tutorial (and
I'm not sure I'm qualified, anyway).

Bob Melson

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBKAgBGX60pjRVDrMRAv9kAJ43Lz+xXFv2NP98UjUWqn8S2GapBwCcC1YN
hQ9PH0o76j5htkIdUa7ipF8=
=0Sie
-----END PGP SIGNATURE-----

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 19 August 2004 21:46, Robert Melson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Group:

Bob Heiling and another individual have criticized my use of digital
signatures in my postings to this and other genealogy newsgroups.
This posting will serve as a sample of what is being criticized.
snip

To keep things reasonable, let's let his run for 2 weeks starting with
this post (according to my Ingersoll, that'd be Thursday, Sep 2. I'll
summarize and sanitize and report back to the group, if there's any
interest. If the traffic is minimal, only a handful of responses over
the period, I'll still share the info but will let the comments speak
for themselves.

plock! sound of tennis ball hitting a clay court

Your comments, Bob?

Gotta tell ya, the response so far has been seriously underwhelming.
Apart from the handful of posts here -- most of which seem to fall into
the who cares category, I've had 4 emails: 2 yes, 1 yes, but, one who
cares.

To avoid further wasting your time and mine, I am going to shut this
down as of midnight, tonight and will merely deep-six emails on the
topic. If you want to keep the thread going here on the group, have
fun.

Apart from more than amply demonstrating the apathy of the average
computer user when it comes to things not immediately parseable
on-line, this discussion has also shown that the very vocal minority
are just that - a very vocal minority. I should have known this for
myself after the hue and cry of a few years back, when the very helpful
Broderbund tech support guy was hounded to death by that same minority
because he had the temerity to answer questions about his product in a
favorable light and didn't, ready for this, recommend the competition's
product instead of his own. What gall!

Final comment. If there's anybody on the group who'd like to further
explore public key cryptography, digital signatures, one-way hash
functions, etc, Bruce Schneier has a very informative, but technical,
book, "Applied Cryptography", John Wiley & Sons, 1993. There are newer
editions available, I'm sure, but this is the hallmark work and belongs
on every paranoid's bookshelf (remember, paranoids have enemies, too).
I won't do the google for you, but googling for public key cryptography
or pgp (pretty good privacy) will produce an intimidating number of
hits.

For those few who said, in essence, I don't understand, but who cares,
let me say that I think you're heading for dangerous waters in the not
distant future. Without knowledge of the security capabilities of your
system and applications, particularly your browser, newsereader and
email syhstem, you expose yourself to every malicious asshole out there
who gets his jollies from trashing other people's machines, stealing
those machines functions to carry out his spamming or virus propagation
or ... you name the mental and moral shortcoming that sets you off. I
mention this because a number of major ISPs in the US will soon be
demanding that Joe User have a 128bit capable browser in order to
access webmail and other "system" services. This means older browsers,
mailers, etc., are gonna be flying out the windows like dishware in an
Italian neighborhood at New Years.

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBKA53GX60pjRVDrMRAvq3AJ9qOIOzCEuV7CntHCKmofjWDvwpiwCfURw4
nIA9BNKU5bP+gbMIgL/ezBs=
=8W58
-----END PGP SIGNATURE-----

[Tom Perrett]

On Fri, 20 Aug 2004 03:46:51 GMT, Robert Melson wrote:

What I'd like to ask of y'all is this: send an email to me at the
munged address in the signature below

How can I send an email to a munged address??


Cheers,

Tom [Tom Perrett] <[email protected]>

[Robert Heiling]

Robert Melson wrote:

snip
Gotta tell ya, the response so far has been seriously underwhelming.

That's not surprising considering that your request for responses was buried
beneath so much discussion.

Apart from more than amply demonstrating the apathy of the average
computer user when it comes to things not immediately parseable
on-line,

See above.

this discussion has also shown that the very vocal minority
are just that - a very vocal minority.

A standard straw man to blame. I'm disappointed in you.

snip historical distortions & other exaggerations

Bob

[Charlie]

On Sun, 22 Aug 2004 03:10:10 GMT, Robert Melson
<[email protected]> wrote:
<snip>

Gotta tell ya, the response so far has been seriously underwhelming.
Apart from the handful of posts here -- most of which seem to fall into
the who cares category, I've had 4 emails: 2 yes, 1 yes, but, one who
cares.

OK, I don't like it either, but considered the topic "way" off, so
simply marked the thread as "ignore" long ago.

Charlie Hoffpauir
http://freepages.genealogy.rootsweb.com/~charlieh/

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 22 August 2004 06:11, Tom Perrett wrote:

On Fri, 20 Aug 2004 03:46:51 GMT, Robert Melson wrote:

What I'd like to ask of y'all is this: send an email to me at the
munged address in the signature below

How can I send an email to a munged address??


Cheers,

Tom [Tom Perrett] <[email protected]
I'm not sure that deserves an answer. The address in the signature

should be pretty evident how to "unmunge" and it doesn't require an
advanced degree in rocket science to be able to figure out that the
NOSPAM in the From: address in the header ....

Sorry if that sounds snotty -- probably is -- but, gimme a break, will
ya?

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBKMcvGX60pjRVDrMRAttBAKDIFaIN7z7GvT+qz0SHYLZEgQK+nQCeOTnY
L50nYSJrQCU0b5P6A7w7geg=
=tolS
-----END PGP SIGNATURE-----

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 22 August 2004 09:23, Robert Heiling wrote:

Robert Melson wrote:

snip
Gotta tell ya, the response so far has been seriously underwhelming.

That's not surprising considering that your request for responses was
buried beneath so much discussion.

Apart from more than amply demonstrating the apathy of the average
computer user when it comes to things not immediately parseable
on-line,

See above.

this discussion has also shown that the very vocal minority
are just that - a very vocal minority.

A standard straw man to blame. I'm disappointed in you.

snip historical distortions & other exaggerations

Bob

OK, Bob. This will be my last word on the topic. You will note that
the whole question became an entirely new thread. Thus, it wasn't
buried in any way, shape or form.

RE: vocal minority. If the foo shits. No strawman here, no excuse on
my part. The very public lynching of -- what was his name, Paul Burch?
- -- was one of the reasons I left the group, years ago. Similar
behaviors today are likely to be a reason I leave again.

Historical distortions? Honesty impels me to say, perhaps. Memory,
always suspect after a certain age, insists that the leader of the pack
was none other that Bob Heiling and a few of his myrmidons. If I'm
wrong, I apologize, but I won't search for the events.

So, back to the original. Nobody seems much exercised by the pgp
signature and the extra lines it adds to a posting. I'll drop the
dopic.

Bye, Bob.

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBKMoRGX60pjRVDrMRArPKAJ9cRAE0CPzRzjj6H/g0A7y/EM+CiwCePxhM
Ij67ZUOxAuLWWBeeQJmTDoQ=
=sRlS
-----END PGP SIGNATURE-----

[Robert Heiling]

Robert Melson wrote:

On Sunday 22 August 2004 06:11, Tom Perrett wrote:
On Fri, 20 Aug 2004 03:46:51 GMT, Robert Melson wrote:

What I'd like to ask of y'all is this: send an email to me at the
munged address in the signature below

How can I send an email to a munged address??
snip
Sorry if that sounds snotty -- probably is -- but, gimme a break, will
ya?

Apparently you missed his tongue-in-cheek humor. Getting a bit uptight are
we?<vbg>

Bob

[Robert Heiling]

Robert Melson wrote:

On Sunday 22 August 2004 09:23, Robert Heiling wrote:

Robert Melson wrote:

snip
Gotta tell ya, the response so far has been seriously underwhelming.

That's not surprising considering that your request for responses was
buried beneath so much discussion.

Apart from more than amply demonstrating the apathy of the average
computer user when it comes to things not immediately parseable
on-line,

See above.

this discussion has also shown that the very vocal minority
are just that - a very vocal minority.

A standard straw man to blame. I'm disappointed in you.

snip historical distortions & other exaggerations

Bob

OK, Bob. This will be my last word on the topic. You will note that
the whole question became an entirely new thread. Thus, it wasn't
buried in any way, shape or form.

No no no! Look at the actual posting itself.

RE: vocal minority. If the foo shits. No strawman here, no excuse on
my part.

It seems that any time anybody complains about anything, they are a "vocal
minority". In fact, studies have been made and for every customer who
complains, there are on the order of ~27 who don't complain but silently
leave.

The very public lynching of -- what was his name, Paul Burch?
- -- was one of the reasons I left the group, years ago.

So terribly important that you can't even remember his name?

Similar
behaviors today are likely to be a reason I leave again.

Hmmmm and no PGP junk then?<vbg>

Historical distortions? Honesty impels me to say, perhaps. Memory,
always suspect after a certain age, insists that the leader of the pack
was none other that Bob Heiling and a few of his myrmidons. If I'm
wrong, I apologize, but I won't search for the events.

"leader", no. Involved, yes. There was never any "lynching", but much
helpful advertising of the FTM customer support website. There were people
who distorted those efforts at the time and it seems they would like to
continue that.

So, back to the original. Nobody seems much exercised by the pgp
signature and the extra lines it adds to a posting.

You don't really know for sure.

I'll drop the
dopic.

Bye, Bob.

Adios muchacho.

Bob

[Anne Chambers]

On Sun, 22 Aug 2004 03:10:10 GMT, Robert Melson
[email protected]> wrote:
snip

Gotta tell ya, the response so far has been seriously underwhelming.
Apart from the handful of posts here -- most of which seem to fall into
the who cares category, I've had 4 emails: 2 yes, 1 yes, but, one who
cares.

I replied privately with a 'No' which you didn't acknowledge.
If it takes up the beginning of my screen and I have to scroll down to
read the message, I don't bother.

Anne

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 22 August 2004 16:35, Anne Chambers wrote:

On Sun, 22 Aug 2004 03:10:10 GMT, Robert Melson
[email protected]> wrote:
snip

Gotta tell ya, the response so far has been seriously underwhelming.
Apart from the handful of posts here -- most of which seem to fall
into
the who cares category, I've had 4 emails: 2 yes, 1 yes, but, one
who cares.


I replied privately with a 'No' which you didn't acknowledge.
If it takes up the beginning of my screen and I have to scroll down to
read the message, I don't bother.

Anne

Sorry, my bad. I still have all of 4 emails and hadn't thought to
acknowledge them separately. I'm not sure but what we're talking
apples and bananas, as there's no pgp signature I'm aware of that takes
up half the screen or makes it impossible to bottom post. Anyway, my
apologies for not correctly reporting your mailing.

Bob

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBKVEiGX60pjRVDrMRAjBxAJ9kLvmKxXv9/MwStRvxo0YmDDuYIQCgiLBm
dloh/dSvopMiKhlZDhA/Ggo=
=0inV
-----END PGP SIGNATURE-----

[Jim Elbrecht]

Anne Chambers <[email protected]> wrote:

On Sun, 22 Aug 2004 03:10:10 GMT, Robert Melson
[email protected]> wrote:
snip

Gotta tell ya, the response so far has been seriously underwhelming.
Apart from the handful of posts here -- most of which seem to fall into
the who cares category, I've had 4 emails: 2 yes, 1 yes, but, one who
cares.


I replied privately with a 'No' which you didn't acknowledge.
If it takes up the beginning of my screen and I have to scroll down to
read the message, I don't bother.

I also replied with a 'No'. It hasn't bounced back yet, so I assume
it reached its destination.

Jim

[Robert Melson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 22 August 2004 20:50, Jim Elbrecht wrote:
<snip>

I also replied with a 'No'. It hasn't bounced back yet, so I assume
it reached its destination.

Jim

Sorry, I haven't seen it yet. And I can't count what I don't see. I'll
keep an eye open for it and let you know when/if it's delivered.

Bob

- --
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBKVz3GX60pjRVDrMRAn56AKDYXG7dyBbQs5egXVoGicEUgxpc4ACfRqDu
axxDonYkrHME97cves9bqGQ=
=R1cu
-----END PGP SIGNATURE-----

[Jim Elbrecht]

Robert Melson <[email protected]> wrote:

-snip-

I also replied with a 'No'. It hasn't bounced back yet, so I assume
it reached its destination.

Jim

Sorry, I haven't seen it yet. And I can't count what I don't see. I'll
keep an eye open for it and let you know when/if it's delivered.

My bad--- I checked my 'sent' folder & it appears I snipped the 'r'
in melsonr -- resent for your edification.

Jim

[Rick Merrill]

Robert Melson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
....

The message is verified by me:

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x34550EB3
*** Signed: 8/19/2004 11:46:24 PM
*** Verified: 8/23/2004 8:24:01 AM
*** BEGIN PGP VERIFIED MESSAGE ***
"
Group:
....
While I realize that there's a large number of folks out there ...
"


But as you can see in the *** lines the number of "unknown" bits
makes the result not a lot more interesting than the so-called
hexadecimal gibberish.

Did anyone else take the trouble to 'verify' the message? (bet -)

Since the message was unencrypted, a 'signature' would be easy
to forge: just cut and paste Robert's!-)

On the other hand, if Robert had also *encrypted* his message
could anyone have read it? (I'll bet not).

[Dave Hinz]

On Sun, 22 Aug 2004 03:10:10 GMT, Robert Melson <[email protected]> wrote:

I should have known this for
myself after the hue and cry of a few years back, when the very helpful
Broderbund tech support guy was hounded to death by that same minority
because he had the temerity to answer questions about his product in a
favorable light and didn't, ready for this, recommend the competition's
product instead of his own. What gall!

Paul something, right? Burchfeldt, Birchfield, something like that.
Seemed like a very patient person, maybe he finally ran out of patience.
It is awfully nice to have manufacturer's reps here to help, I've seen
questions answered by the Legacy folks, Reunion, TMG, and probably others
here. Ah well.

Final comment. If there's anybody on the group who'd like to further
explore public key cryptography, digital signatures, one-way hash
functions, etc, Bruce Schneier has a very informative, but technical,
book, "Applied Cryptography", John Wiley & Sons, 1993. There are newer
editions available, I'm sure, but this is the hallmark work and belongs
on every paranoid's bookshelf (remember, paranoids have enemies, too).

Yup, good book. Pretty heavy reading though, but the topic is pretty heavy
to begin with.

I
mention this because a number of major ISPs in the US will soon be
demanding that Joe User have a 128bit capable browser in order to
access webmail and other "system" services. This means older browsers,
mailers, etc., are gonna be flying out the windows like dishware in an
Italian neighborhood at New Years.

Well, 40-bit encryption (the old old standard) is pretty much dead, 56-bit
isn't far behind, so yeah, 128bit isn't unreasonable. The thing is,
browser older than that already are more insecure than their users know,
as the root certificate list is expired and they got one popup warning
about it, about a year ago, which they have all forgotten they said "don't
show me this again" instead of fixing the problem. Ah well.

In the early days of computers, the users generally had a clue about what
was important. I'm guessing that the first car owners were the same,
100 years or so ago...and now look at _that_ situation; can't even get
people to wear seat belts. Pretty much the same problem with different
technology and different penalties.

[Charlie]

On 23 Aug 2004 15:23:49 GMT, Dave Hinz <[email protected]> wrote:

On Sun, 22 Aug 2004 03:10:10 GMT, Robert Melson <[email protected]> wrote:
I should have known this for
myself after the hue and cry of a few years back, when the very helpful
Broderbund tech support guy was hounded to death by that same minority
because he had the temerity to answer questions about his product in a
favorable light and didn't, ready for this, recommend the competition's
product instead of his own. What gall!

Paul something, right? Burchfeldt, Birchfield, something like that.
Seemed like a very patient person, maybe he finally ran out of patience.
It is awfully nice to have manufacturer's reps here to help, I've seen
questions answered by the Legacy folks, Reunion, TMG, and probably others
here. Ah well.

Paul was an employee of FTM for many years, following it through
several ownerships that I'm aware of. WIth the last sale of FTM the
owner "relocated" (to Utah I think) the staff & facilities, and Paul
either chose not to relocate, or was not offered the opportunity. In
any case, he and FTM parted ways.

Charlie Hoffpauir
http://freepages.genealogy.rootsweb.com/~charlieh/

[Robert Heiling]

Charlie wrote:

On 23 Aug 2004 15:23:49 GMT, Dave Hinz <[email protected]> wrote:

On Sun, 22 Aug 2004 03:10:10 GMT, Robert Melson <[email protected]> wrote:
I should have known this for
myself after the hue and cry of a few years back, when the very helpful
Broderbund tech support guy was hounded to death by that same minority
because he had the temerity to answer questions about his product in a
favorable light and didn't, ready for this, recommend the competition's
product instead of his own. What gall!

Paul something, right? Burchfeldt, Birchfield, something like that.
Seemed like a very patient person, maybe he finally ran out of patience.
It is awfully nice to have manufacturer's reps here to help, I've seen
questions answered by the Legacy folks, Reunion, TMG, and probably others
here. Ah well.

Paul was an employee of FTM for many years, following it through
several ownerships that I'm aware of.

Yes. You're right about Paul Burchfield. He was still posting here in his role as an
employee of genealogy.com as recently as just over a year ago.
<http://groups.google.com/groups?q=group:*.genealogy.*+author:Burchfield&hl=en&lr=&ie=UTF-8&as_drrb=b&as_mind=12&as_minm=5&as_miny=2003&as_maxd=23&as_maxm=8&as_maxy=2004&selm=Xns939269E7B936FPaulBurchfield%40204.127.199.17&rnum=4>

WIth the last sale of FTM the
owner "relocated" (to Utah I think) the staff & facilities, and Paul
either chose not to relocate, or was not offered the opportunity. In
any case, he and FTM parted ways.

He made a couple of posts in regard to all that.
<http://groups.google.com/groups?q=group:*.genealogy.*+author:Burchfield&hl=en&lr=&ie=UTF-8&as_drrb=b&as_mind=12&as_minm=5&as_miny=2003&as_maxd=23&as_maxm=8&as_maxy=2004&selm=e1Sbb.412752%24cF.128338%40rwcrnsc53&rnum=2>

<http://groups.google.com/groups?q=group:*.genealogy.*+author:Burchfield&hl=en&lr=&ie=UTF-8&as_drrb=b&as_mind=12&as_minm=5&as_miny=2003&as_maxd=23&as_maxm=8&as_maxy=2004&selm=3XUib.281580%24mp.219291%40rwcrnsc51.ops.asp.att.net&rnum=3>

Bob

[Mardon]

I hope that I don't get 'trashed' for again prolonging this thread. I know
that it's OT for a genealogy newsgroup and has gone on longer than most
people probably consider productive (including me), but I can't resist
commenting on Rick's post because I believe that it contains misleading
comments about public key digital signatures and encryption. My comments
are NOT in support of using digital signatures to sign messages posted to
Usenet. In fact, I think that's pretty much useless. The problem with such
signatures is that no system of trusted authorities exists to verify the
authenticity of the private keys that are used to perform the digital
signing. Anyway, I've responded to each of Rick's points in order, below.

Rick Merrill" <[email protected]> wrote...
<*snip*>

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x34550EB3
*** Signed: 8/19/2004 11:46:24 PM
*** Verified: 8/23/2004 8:24:01 AM
*** BEGIN PGP VERIFIED MESSAGE ***
*snip*
But as you can see in the *** lines the number of
"unknown" bits makes the result not a lot more
interesting than the so-called hexadecimal
gibberish.

The Signature Status that you show above is NOT the one that you should
receive if you use an up-to-date key server to perform the verification.
The Key ID=0x34550EB3 is definitely associated with a good signature and the
name Robert Melson. Verification should produce: "Status: Good Signature
from Invalid Key" with the accompanying message "Alert: Please verify
signer's key before trusting signature." Proper verification also shows
"Robert Melson" as the key owner. Since you did not get this verification
message, try using a different key server. Perhaps the key server that you
used is not up-to-date. I used: ldap://keyseerver.pgp.com. Robert's public
key is definitely stored there.

Did anyone else take the trouble to 'verify' the message? (bet -)

From my preceding comments, it's obvious that I took the time to verify the
key. As I explained in my first post to this thread, there are a couple of
issues with Robert's key. The most significant is that no one, let alone a
"trusted authority", has signed it. This means that there is absolutely no
why of knowing if the key really belongs to someone named "Robert Melson".
Personally, I don't doubt that it does, but the fact that the key signature
shows up as "good" is NOT proof that the 'real' Robert Melson created the
key. The major weakness of the PGP signature system is the lack of a
central "trusted authority" to sign the keys. Robert's digital signature
does prove that a single person posted all of the signed messages, since the
same key was used to sign all those messages. Robert has also chosen not to
attach a photograph to his key, which is understandable, but weakens the
'believability' of the key.

Since the message was unencrypted, a 'signature' would
be easy to forge: just cut and paste Robert's!-)

If I correctly understand what you're saying, it's not true. A signed
message will not verify with a "good" signature (as Robert's messages do) if
anything between the "BEGIN PGP" and "END PGP" lines is changed.
Verification of such a message will produce a "Bad Signature" status. You
definitely cannot just 'cut and paste' a digital signature. If you do that,
the message will not produce a "good" signature and Robert's signed messages
do.

On the other hand, if Robert had also *encrypted*
his message could anyone have read it? (I'll bet not).

People can only read an encrypted message if the person who does the
encrypting uses the recipients' public key(s) to perform the encrypting. My
public PGP key is posted on my website, so IF Robert had known that I was
going to read his post, and IF he had known where my website was located,
THEN he could have gotten my public key and used it during the encryption
process. The same applies to any other potential readers of his posts.
Everyone whose public keys were used to encrypt the posted message would
have been able to decrypt and read it. But that's only theoretical
gibberish and totally irrelevant to the real world. No one (including
Robert) is going to encrypt a message posted to Usenet. That would be
silly. Personally, I think that it's equally silly to use digital
signatures to try and verify the authenticity of a message's author because
such signatures prove nothing about the real identity of the signer.
Authenticity verification requires a system of 'trusted authorities' to have
signed the author's key and such a system does not exist.

[Rick Merrill]

Thank you Mardon - I will paraphrase your comments in my reply.

OT: Verification is useful for genealogy because it increases the
trust among people who may (or may not) wish to share their research
and database information.

meaning of key encryption: I have learned that there are better
servers than the one I used!

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x34550EB3
*** Signed: 8/19/2004 11:46:24 PM
*** Verified: 8/23/2004 8:24:01 AM
*** BEGIN PGP VERIFIED MESSAGE ***
....

Using keyseerver.pgp.com I now get

*** PGP Signature Status: good
*** Signer: Robert Melson (UNIX geek) <melsonrREMUNGEDBYRM <at>
earthlink.net> (Invalid) <=== so why still "invalid"
*** Signed: 8/19/2004 11:46:24 PM
*** Verified: 8/24/2004 9:59:33 AM
*** BEGIN PGP VERIFIED MESSAGE ***
....

... issues with Robert's key. The most significant is that no one, let alone a
"trusted authority", has signed it. <=== is that why still "invalid" above?

...The major weakness of the PGP signature system is the lack of a
"trusted authority" to sign the keys. ... Robert has also chosen not to
attach a photograph to his key, which is understandable, <=== not these days;-)

Since the message was unencrypted, a 'signature' would
be easy to forge: just cut and paste Robert's!-)
If I correctly understand what you're saying, [it] will not verify ...

Right. I only meant it would APPEAR about the same, hence the smiley.

On the other hand, if Robert had also *encrypted*
his message could anyone have read it? (I'll bet not).
... No one ... is going to encrypt a message posted to Usenet.

I think we're on the same page here.


Bottom Lines:

PGP is a good thing for Email, and for usenet it gives an extra
level for munging but making available your true email address
to people like 'unix geek.'

A person whose 'sig' advertises his or her having PGP gets a soupson
of extra credibility with me.

-- RM

[Mardon]

"Rick Merrill" <[email protected]> wrote...
<*snip*>

*** PGP Signature Status: good
*** Signer: ... (Invalid) <=== so why still "invalid"

The "Invalid" status message comes from the fact that the person who is
verifying the key (i.e. Rick in this instance) has not taken any steps to
include the key being tested in his own 'web of trust'. (See next point for
further comments.)

... issues with Robert's key. The most significant is that no one, let
alone a
"trusted authority", has signed it. <=== is that why still "invalid"
above?

The "invalid" status comes from the fact that the key being tested is not
within Rick's web of trust. In order to validate a key, one needs to
compare the 'fingerprint' of the key being tested against the known
fingerprint of the person's real key. For someone that you personally know,
this exchange of fingerprints can be done in any totally secure manner; such
as verbally, in person or on the telephone. Once you're certain that
someone's key is real and belongs to the person who is claiming to own it,
you can "sign" that person's public key. If you then verify a key that you
have signed, it will no longer show as "invalid". A key can also be made
"valid" if it is part of a 'web of trust' consisting of signed keys that
eventually connect your key with the key being verified. If you want to see
how this works, just import Robert's key (0x34550EB3) onto your public key
ring and sign it. (Be certain that you do NOT make it an exportable
signature. If you do so, it may wind up as being signed on the key server
and you do not want this.) Once you have signed his key on your public key
ring, do another verify on his signed message and it will no longer appear
to be an "invalid" key. A true 'web of trust' is much more complicated and
extensive than the direct signature used in this example

I think the foregoing highlights another major drawback of using digital
signatures as implemented in PGP. It's just too complicated for most users
to properly manage their key rings. In fact, in most cases, even people who
are capable of understanding the intricacies of the process don't have any
desire to do so. Like I said in my first post, I'm only into this stuff
because of the "Captain Video Decoder Ring" that fascinated me as a kid and
I've been interested in codes and ciphers ever since.

[Robert Melson]

On Tuesday 24 August 2004 08:20, Rick Merrill wrote:

<snip>

Bottom Lines:

PGP is a good thing for Email, and for usenet it gives an extra
level for munging but making available your true email address
to people like 'unix geek.'

A person whose 'sig' advertises his or her having PGP gets a soupson
of extra credibility with me.

-- RM

Both Mardon and Rick make excellent points regarding the lack of a
verifying/validating signature on my signing key. One of the great
frustrations is that I have not, in the entire time I've lived in El
Paso and been somehow associated with computers, security and all the
rest, been able to find another person who might want to swap
validations -- who even _knows_ what I'm talking about. As one goes
afield, it becomes even more difficult, because there's always the
chance that _I_ am not really me but somebody masquerading as me.
Prove you're you at long distance!

Encrypting posts to the ngs would be absolutely insane, and was never
something I advocated. And, in point of fact, I don't really want to
see every message signed. Only in those cases where the information is
sensitive or important or subject somehow to dispute, it seems to me,
should the message be signed -- that way, anybody reading the message
and seeing that the key is valid but unsigned or something else in the
range of possibilities, can be reasonably assured that the information
is what I wrote and reflects my thoughts at the time of writing. And
that, it seems to me, _is_ a valid and valuable reason to sign a
newsgroup posting.

Bob Melson

--
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net

[Ernie Wright]

Rick Merrill wrote:

A person whose 'sig' advertises his or her having PGP gets a soupson
of extra credibility with me.

For what it's worth, this will vary with personal experience.

A well-known loon in some of the sci.* groups uses PGP. Since he posts
through an anonymous remailer and morphs to evade filters, PGP is the
only constant in his messages, and a number of people have resorted to
filtering on the presence of any PGP stuff in the signature.

- Ernie http://home.comcast.net/~erniew

[Mardon]

"Robert Melson" <[email protected]> wrote...

Both Mardon and Rick make excellent points regarding the lack of a
verifying/validating signature on my signing key. One of the great
frustrations is that I have not, in the entire time I've lived in El
Paso and been somehow associated with computers, security and all the
rest, been able to find another person who might want to swap
validations -- who even _knows_ what I'm talking about. As one goes
afield, it becomes even more difficult, because there's always the
chance that _I_ am not really me but somebody masquerading as me.
Prove you're you at long distance!

According to the key-signing coordination webpage at BigLumber.com
(http://www.biglumber.com) there are 2 listings for Las Cruces, NM. These 2
listings are separate keys for the same person, who is a network data
analyst in the Data and Video Services Dept at New Mexico State University
(NMSU). Anyway, by virtue of being listed at BigLumber.com, he's apparently
willing to sign your key, given adequate proof of your identity. Doing this
generally requires a passport, birth certificate and similar documents plus,
of course, a copy of the fingerprint of the key that you want signed. One
of the keys belonging to this person is signed by 12 other keys, plus his
own, so getting his signature would be a big step toward building a small
web of trust. His keys are also listed in the reports of keyanalyze
(http://dtype.org/keyanalyze/). His telephone number is listed in the staff
directory on the NMSU website. Just look up one of his keys (0x53564C36 or
0xC96EF612) and use the name associated with that key to find him in the
NMSU directory. I believe that Las Cruces is less than 50 miles from El
Paso, so that seems a reasonable distance to travel, given your lack of
success with getting anyone to sign so far. If you're willing to travel
further, there are 7 people in Albuquerque listed on BigLumber.com.

[singhals]

Robert Melson wrote:

Both Mardon and Rick make excellent points regarding the lack of a
verifying/validating signature on my signing key. One of the great
frustrations is that I have not, in the entire time I've lived in El
Paso and been somehow associated with computers, security and all the
rest, been able to find another person who might want to swap
validations -- who even _knows_ what I'm talking about. As one goes
afield, it becomes even more difficult, because there's always the
chance that _I_ am not really me but somebody masquerading as me.
Prove you're you at long distance!

I've been given to understand that the college in ElP has a decent
CompSci dept. Can't that help somehow?

Cheryl

[Leif B. Kristensen]

Ernie Wright rose and spake:

A well-known loon in some of the sci.* groups uses PGP. Since he
posts through an anonymous remailer and morphs to evade filters, PGP
is the only constant in his messages, and a number of people have
resorted to filtering on the presence of any PGP stuff in the
signature.

Finally, a valid reason for PGP signatures in Usenet postings
--
Leif Biberg Kristensen
http://solumslekt.org/
Validare necesse est

[Robert Melson]

On Wednesday 25 August 2004 07:31, singhals wrote:

Robert Melson wrote:


Both Mardon and Rick make excellent points regarding the lack of a
verifying/validating signature on my signing key. One of the great
frustrations is that I have not, in the entire time I've lived in El
Paso and been somehow associated with computers, security and all the
rest, been able to find another person who might want to swap
validations -- who even _knows_ what I'm talking about. As one goes
afield, it becomes even more difficult, because there's always the
chance that _I_ am not really me but somebody masquerading as me.
Prove you're you at long distance!

I've been given to understand that the college in ElP has a decent
CompSci dept. Can't that help somehow?

Cheryl
Cheryl:

Thanks for your comment, above. Unfortunately, UTEP is a decidedly 2nd
rate institution -- kinda a step-child of the UT system and definitely
not competitive with NM State U, just up the road by 40 miles. For the
rest of it, I've found one person at NM State who is sufficiently
involved with security, digital signatures, privacy issues, to know
what end is up (not that I necessarily do, myself!)

Anyway, thanks,
Bob Melson

--
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net

[Robert Melson]

On Wednesday 25 August 2004 05:08, Edward A. Feustel wrote:

"Robert Melson" <[email protected]> wrote in message
news:[email protected]...
On Tuesday 24 August 2004 08:20, Rick Merrill wrote:

snip

Bottom Lines:

PGP is a good thing for Email, and for usenet it gives an extra
level for munging but making available your true email address
to people like 'unix geek.'

A person whose 'sig' advertises his or her having PGP gets a
soupson of extra credibility with me.

-- RM

Both Mardon and Rick make excellent points regarding the lack of a
verifying/validating signature on my signing key. One of the great
frustrations is that I have not, in the entire time I've lived in El
Paso and been somehow associated with computers, security and all the
rest, been able to find another person who might want to swap
validations -- who even _knows_ what I'm talking about. As one goes
afield, it becomes even more difficult, because there's always the
chance that _I_ am not really me but somebody masquerading as me.
Prove you're you at long distance!

Encrypting posts to the ngs would be absolutely insane, and was never
something I advocated. And, in point of fact, I don't really want to
see every message signed. Only in those cases where the information
is sensitive or important or subject somehow to dispute, it seems to
me, should the message be signed -- that way, anybody reading the
message and seeing that the key is valid but unsigned or something
else in the range of possibilities, can be reasonably assured that
the information
is what I wrote and reflects my thoughts at the time of writing. And
that, it seems to me, _is_ a valid and valuable reason to sign a
newsgroup posting.

Bob Melson

--
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net

Bob,
As you point out this is a major frustration. This is one of the
reasons that I adopted the
Thawte Web of Trust Model instead of the GNU/PGP model (I tried both).
snip

Regards,
Ed Feustel
Thawte WOT notary
Ed:

Thanks. While I tend to believe the difference between X.509
certificates and pgp signatures is as between night and day, I'll look
into your suggestion with genuine interest and thanks.

Bob Melson

--
Robert G. Melson Nothing is more terrible than
Rio Grande MicroSolutions ignorance in action.
El Paso, Texas Goethe
melsonr(at)earthlink(dot)net