On Wed, Jan 26, 2011 at 08:15:03AM +0530, Binand Sethumadhavan wrote:
2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers.
Therein lies the point. Should I (or anyone who'd like to verify your signature) go around every keyserver looking for your key? How do I know which keyserver to look on?
Use a keyserver that syncs data with others and you will be spared the effort.
So first the problem was that there was no instruction in the mail on how to verify the signature, and now the problem is that it is not signed!
The problem is neither of the above - it is that signing messages add no value to their contents, if signed with a key that is trusted by no one. And unless you are someone who is frequently impersonated, there is no point in signing messages sent to a public access mailing list. It only reduces the S/N further.
BTW, how can one say that if it couldn't be found the key on the keyserver.
I did make an effort to locate your key and evaluate your usage, you know.
What better way to popularise use of pgp than to sign messages to a public mailing list. Atleast I came to know about it only when I saw them on
Your system has loopholes. You say that the keyserver to search on is mentioned on your homepage, a link to which (along with the key ID) is included in your email, whose signature the recipient is supposed to verify. Do you see the circular logic here that negates any advantage you might have had from signing the message?
Just to aid you memory, I mentioned that there are zillions of websites which give information on what pgp keys are and how to download one from a keyserver and verify a message. My website is only one of them.
The popularity of pgp should be based on its merits - not based on
Don't you think merits should be popularised?
incorrect and faulty usage that puts users at more risk than they were.
How does signing my messages with a key that I own put someone at more risk?
I believe signing messages also indicates ownership of the content of the message. And though the key is not signed at the moment, it can always be authenticated anytime, if anyone wants to.
An untrusted key does nothing of that sort. For example, anybody can register niteshmistry.com, setup an email ID and website, generate a key, upload it to a keyserver and start signing messages as mailbox@niteshmistry.com. Without the WoT, how do you protect your correspondents from this scenario?
The fact that the message is signed indicates the ownership of the mail and that I am in physical control of that key. Anybody who has the urge or the need to verify it can do so by meeting in person. No other person will be able to do that. Keysigning and WoT only aides in doing so.
Do you mean to say that you would have had no objection if the key was signed? No, may be then, you would have had the problem that the key was not in your WoT, or something of that sort. How do you solve that problem? By bringing more and more people into the WoT (ofcourse after standard due-diligence). How do more people get to know about this? When you sign messages (especially messages in the public mailing list).
Even in the offline world, signing a document is usually not enough -
On the contrary it is 'usually' enough. Of how many documents that we sign, do you get them countersigned by a witness? Does that mean you do not sign a document unless there is a witness countersigning it?
a witness should countersign indicating that he knows the person signing and vouches that the signature is authentic. The WoT extends this concept to the Internet.
This is only in rare cases of legal documentation, where courts and other authorities want to spare themselves the effort of verifying the authenticity.
PS: I hope someone who was missing the activity on the list is having fun. :)