[Enigmail] Usability issues
LeRoy Cressy
ldc at lrcressy.com
Tue Dec 11 14:12:26 PST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert J. Hansen wrote:
> Please trim your quotes.
>
> LeRoy Cressy wrote:
>> To me a bad signature is a warning that the message could have been
>> tampered with.
>
> So is there being no signature whatsoever on a message. A bad signature
> conveys precisely the same amount of information regarding tampering, or
> lack thereof, as there being no signature whatsoever. This is an
> argument in favor of changing the way we view bad signatures.
>
>> Only the owner of a key pair should send a key to a key server.
>
> While you're talking about the way things should be, taxes should be
> lower, beer should be stronger, and I should have a pony.
>
> The reality is that non-certowners can and do send certs to the cert server.
>
This is one of the fallacies that should be addressed.
>> you could set up a cron job with a line like
>> gpg --send-key 0x12345678
>> to make sure that only your version of your public key is on a key server.
>
> This does not work.
>
>> Also, you should not accept a signature for your key unless you have
>> verified the signature like from a key signing party
>
> How do you propose to 'not accept' signatures? OpenPGP doesn't give you
> a choice.
>
As a member of the Philadelphia Linux Users Group
http://www.phillylinux.org/keys/ has a simple method of signing keys at
the end of our monthly meeting.
When a person sends back to you your private key signed you do not have
to import the key into your keyring unless you know that it is from the
proper person that you met at the meeting. When you verify that the key
is from and only contains the addition of only the individual's
signature and no other additional signatures then you should import the
key into your keyring. The following is from the GnuPG man page under
the edit-key section:
delsig Delete a signature. Note that it is not possible to
retract a signature, once it has been send to the public
(i.e. to a keyserver). In that case you better use
revsig.
revsig Revoke a signature. For every signature which has been
generated by one of the secret keys, GnuPG asks whether a
revocation certificate should be generated.
Thus it seems that you can protect what is in the public side of your
key pair or certificate.
I hope that this clarifies my position a little.
>> There are a number of us that use numerous xterms and use gpg interactively.
>
> Yes, I'm one, myself. The point still stands: GnuPG is not a UI target.
>
> _______________________________________________
> Enigmail mailing list
> Enigmail at mozdev.org
> https://www.mozdev.org/mailman/listinfo/enigmail
>
>
- --
Rev. LeRoy D. Cressy mailto:leroy at lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <
gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA
For info on enigmail: http://lrcressy.com/linux/mozilla.pdf
For info on gpg: http://www.gnupg.org/
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBR18LSHlsxrSGsIsqAQj2wg//Ys6Ow0FOrnMyX0tZOfcxpGoAlMc7ju/P
D3PifKlOwXv5i7G23Pasdopy0d6ntw8zo/QOZfESNMLGqf18ZMbqG6rz8qSBoU/n
SLwwFH/+kQIPD8xs3JPve7QnVArTIgCuay75ECPfNWQfEBETTcluuYkd8KCOBXRW
epCkJxcsfdF7C/OONt2UuxecTvglWP0gqnB6X4wU/OUshonEjXYHsbvkEI6DIM1q
JEbDBwfSH3awOyelg2yhiR9qFwo7u1o2AN2HgGlDtalUNkAHzrs8awBsKPw9b+GP
/Z5TMXbuQblJVm8XZ/CzxtrwtZdGmuLCkpdgUnVhnlJnIT6A2j3FmDyVIpneeCen
XrR96zQ8RZmYHxiaN01ymrLOs36kRCB42b/mwNOVtXm2jq0o69Elo9up4NLBEoat
EjWvdQGUcK4XPyZYKQIjZBLaMXTudCZkG6aIg+neMfHcm9jPxhfHZ12Z+fQZScTS
6pnLgrwADrQ7RKvNP3xYXEb1P6KSVNdtn68072HE1ym0jqzDQNKxIf49st9bjZzB
WQGmmKOLFv2lDGZKQGXGLkabzGWdETwVuJxbGDh1Dt0lf2rwLnNwVoDv06v6c5dO
nJoTkCqLZ3fqSdHCiFtY8BcpnL22g4Wl0EMR2X6/giNwvvvRhYrCnASZsMYnkKtu
nSyRwwfagVY=
=kWOU
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list