[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hazards of encouraging forged dig sigs
-----BEGIN PGP SIGNED MESSAGE-----
Mark Terka writes:
> If thats the case.....isn't it an equal pain in the ass to go to the trouble
> of forging a sig? :> You would likely have to go through more key strokes and
> other routines to forge one. Why not just play by the rules and sign a
> message?
I imagine it would be a breeze to attach a forged PGP sig to every message
using most mailers etc. The signature block is easy -- simply append it to
the contents of the .sig autoappended by many mailers/newsreaders. All that
remains is a macro or a bit of cutting & pasting to toss in the --- BEGIN PGP
line at the top.
Now that Eric has made it abundantly clear he envisions syntactic but not
semantic checks of sigs, I am opposed to the proposition. I foresee a
situation in which a large portion of the list traffic uses forged or
meaningless signing-server-appended dig sigs. When I establish automatic
signature validation for incoming mail here Real Soon Now, there will be
plenty of noise generated by all the `false' negatives in the data to make
a mockery of the authentication process. Encouraging cryptographically
valid signatures was the first suggestion I'd seen in this entire debate
which seemed to promise tangible benefits; encouraging cryptographically
invalid signatures is the first notion which appears to offer tangible
detriment.
Disclaimer acronym of the day: ECDWHW. Eric Can Do Whatever He Wants.
BTW, Tim, why do you seem so surprised by JD's style of discourse ?
Just mention Chomsky and be done with the damn thing, it's not going to
be productive anyway.
- -L. Futplex McCarthy; PGP key by finger or server
"Don't say my head was empty, when I had things to hide...." --Men at Work
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBLt1CSGf7YYibNzjpAQEquAP5Aa0aVKiWW39kxxZEkvYHRFJBEOkZSVE5
ZCjUABEx7hki2+uaGvIDJyGlb73mxMeiT1iM8N1BBzbztSWbRN4wUbLsaRD27gQz
NY/g/eOvylZcphFzxLWRNWBnmGSgGgN+miMv0sVxSJkdq41fjSTW9ziH8mOrGRif
ZfYlP21LOSc=
=W8Wf
-----END PGP SIGNATURE-----