On 11/05/12 07:29, Henrique de Moraes Holschuh wrote: > On Thu, 10 May 2012, Tony van der Hoff wrote: >> I've learned a lot about GPG signing during the last few days. I can see >> there are benefits where the recipient needs to be absolutely certain >> that the sender is known to him. > > Yes. Or that the sender belongs to a certain group, for which an > authoritative keyring is maintained. > >> That is certainly not the way mailing lists work, so causing a block of >> some 400 characters to be sent to each and every subscriber is pure >> self-indulgence, on the scale of insisting on sending HTML-formatted >> mail. On balance, I think I prefer the latter. >> >> I have come to the conclusion that a GPG signature in these >> circumstances says more about the sender's sense of self-importance than >> anything else. > > Not always. Debian has a few mailing-lists where only signed mail by a > Debian Developer is accepted (the -announce ones). Also, some information > is considered critical enough that it is always sent signed. And yes, > people DO make a fuss if the signature doesn't verify :)
And for some people signing their posts is a good idea on any Debian list. ie. people who hold a position of authority in the Debian community. However in every one of those cases I've always found a valid web of trust - likewise with half a dozen posters on this list, even though I've not met them - I've met or know some of the people in their key signing chain. 2 or 3 degrees seems to cover most of the globe with Debian/GNU/Linux, and geographic location has no bearing on whether other people will sign your key. > > I've seen lots of PGP/MIME and S/MIME signed mails on MLs over the years, > and any MUA worth using will do something smart with it (such as hide the > mess and not bother the user if he is not validating signatures). Yes! If the signer relies on the recipient to jump through hoops to validate the signature it speaks volumes of the signer. If you have to cut and paste or perform CLI magic to validate or make a post viewable then the whole excercise is *unfriendly*. > > Incorrectly-formatted PGP/MIME, as well as inline signatures are far more > cumbersome on most MUAs, so they're far more likely to cause huge threads > when used in an indiscriminate way. > And it will continue to increase as more people start using PGP signatures and github accounts like digital fetishes. Many people are convinced a message is from who it says it's from, just because it's signed - few check the signature and even fewer check the identity of the signer. PGP is a convenient and robust system of ensuring the integrity and authorship of a message when used properly - otherwise it's a convenient ego toy for the ignorant at the inconvenience of others. Not unlike animated avatars and advertisements in signatures. I'd encourage people to use digital signatures where appropriate - but only if used properly. If it's used properly few people will complain and using PGP improperly is worse than not using it at all (promotes bad practices and devalues the protocol). Kind regards -- Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding answers to questions about Debian:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fac41d8.9040...@gmail.com
