Re: [OT] The PGP Signed Posts Farce

From: Peter T. Breuer (ptb_at_it.uc3m.es)
Date: 10/26/03 

Date: Sun, 26 Oct 2003 09:00:03 GMT

Alan Connor <zzzzzz@xxx.yyy> wrote:
> On Sun, 26 Oct 2003 00:20:02 GMT, Peter T. Breuer <ptb@it.uc3m.es> wrote:
> >
> >
> > Alan Connor <zzzzzz@xxx.yyy> wrote:
> >> Nor does anyone. They don't even check other people's pgpsigs. It is an
> >> ego trip.
> >
> > Everyone checks them!

> That is not what EVERY pgpsig user I have asked has told me.

That's because you don't understand what is being said to you - the
checking is automatic. How do you get their public key (which enables
your digitally signature-aware application to confirm the message is
authentic)? Think about it.

Nah! Why not do as I suggest and go get a key and see how it works,
then you won't have to perform mental acts that are beyond you. Getting
a key is a triviality involving clicking on netscapes security menu.
Well, I have mozilla open, and there it's

 edit->preferences->privacy&security->certificates->certificate manager->
 help->(section "Using Certificates", link "Getting Your Own Certificate")

I'll help your clicky-pooness by showing you what it says:

 Getting Your Own Certificate

 Much like a credit card or a driver's license, a certificate is a form
 of identification you can use to identify yourself over the Internet
 and other networks. Like other commonly used personal IDs, a
 certificate is typically issued by an organization with recognized
 authority to issue such identification. An organization that issues
 certificates is called a certificate authority (CA).

 You can obtain certificates that identify you from public CAs, from
 system administrators or special CAs within your organization, or from
 web sites offering specialized services that require a means of
 identification more reliable that your name and password.

 Just as the requirements for a driver's license vary depending on the
 type of vehicle you want to drive, the requirements for obtaining a
 certificate vary depending on what you want to use it for. In some
 cases getting a certificate may be as easy as going to a web site,
 entering some personal information, and automatically downloading the
 certificate into your browser. In other cases you may have to go
 through more complicated procedures.

 You can obtain a certificate today by visiting the URL for a
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 certificate authority and following the on-screen instructions. For a
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 list of certificate authorities, see the online document Client
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 Certificates.

 Once you obtain a certificate, it is automatically stored in a
 security device. Your browser comes with its own built-in software
 security device. A security device can also be a piece of hardware,
 such as a smart card.

 Like a driver's license or a credit card, a certificate is a valuable
 form of identification that can be abused if it falls into the wrong
 hands. Once you've obtained a certificate that identifies you, you
 should protect it in two ways: by backing it up and by setting your
 master password.

 ...

Etc. etc. Go look at your certificate manager. Once you have a public
key lodged witha a CA, and you have a private key, then anyone at all
can send you messages that you alone can read, and only you can sign
messages in such a way that everyone can recognize they come from you.

Look at the number of certificates you already have. Every time you
connect to a "secure page" and that little lock sign appears whole and
not broken in the bottom right hand corner of netscape/mozilla, you
are using the PKI and certificates signed by CAs, sitting in your
machine.

Yecccccccccch :-)

> But it is irrelevant anyway.

Oh, such a big boy knows such a lot about his own machine!

> > That's what the PKI (Public Key Infrastructure)
> > does for you, with you, while you click on the mail.
> >
> > Go get a free sample key from thawte so you can figure out how it all
> > works.

> Go piss up a rope.

You really are making yourself out to be the biggest fool imaginable,
you know that? Because you can't understand something you think the
rest of the world also can't? Because your head hasn't the candlepower
to "get it", you think that other people don't?

Why not go and fiddle around with the keys you already have and see how
you can suddenly send out encrypted mail to those people? Every time
netscape/mozilla receives a mail with a signature issued by an
authority it already trusts (possibly via a signature chain) it adds
it to its list, and you can see them all in your certificate manager.

> I know enough about it to know that it is bull***.

No, you do not know anything about it, least of all do you have any
grasp of the meaning of "trust"! Apparently. But then your grasp of
many things is severely limited. You'd fail any examination on the
workings of the PKI and public/private key technology, and digital
money, the digital contract, the digital purse, the .. oh, forget it!
When was this stuff invented? 1986 was the IETF team from netscape?
What do you think all the electronic commerce on the internet is based
on? What do you think your bankcards are using when you stick them in
the slots? Yes, that's right! Public/private key pairs and the PKI.
So it's all bull***, is it? How funny.

Or, in your case, pathetic.

> I do not participate in farces, especially one engineered by a bunch
> of arrogant, self-important snobs that presume to get in everyone's face
> with every article they post, knowing full well that pgpsigs on the Usenet

It's pointless to you, but not to the authors. They want to make sure
that nobody impersonates them. There are many legitimate reasons for
wanting that. I've seen plenty of fake posts purporting to be people
they aren't.

> are pointless and that almost no one has the software to use them, mostly

Almost everyone has, if they have a vaguely modern system. Even my
elderly "tin" news reader has pgp stuff built in, as does my "elm" mail
reader. The problem for me is in getting a key of mine trusted by
anyone in a large web of trust, because nobody in such a web has seen
me! I don't go to meets. What I need is to find someone I know who has
a key that is trusted by someone I want to be known by (via a chain).
Then I could get him/her to sign my key.

Supposing you know 10 people. Then chains of signers need only be 8
long before your key is acceptable to a whole country (10^8 people).

> because most people are pretty intelligent and know elitist bull*** when
> they see it.

Funnnnnnny! I really do think you ARE a mental patient, you know!

> Didn't read the other post.

> Christ but these pgpsig cultists are an arrogant and pushy lot.

PGP is a weak version of the technology devised to be exactly "good
enough" for signing and encrypting email. That was its design,
precisely. The similarity of news to email (message format the same, in
general terms), allows it to be used for news too. Whether it is
meaningful in that setting is another question. The people who use it
certainly have found a use for it.

And the US government did have it classified as a weapon of war until
recently. They couldn't break the encryption or the sigs.

Peter