On Jul 23, 2004, at 10:43 AM, Bob Blick wrote: >> But if you sign all of your messages (as many people do), it becomes >> impossible for me to do this without raising a much larger red flag - >> especially if your mail client automatically checks digitial >> signatures, like many do. > > No, and no. > > Many people do not digitally sign their messages. Fewer than .05% of > the > messages on the piclist are signed. And that's because... most people use mail clients that are, quite literally, retarded. Non-state-of-the-art ten year old mail clients. > Also, no red flags are raised, ever, unless you are using a mail client > that supports it, and you have it correctly configured. Again, down at > the > noise floor are the adopters of that technology. I have a number of mail clients that automatically do this without intervention. They're configured quite "sanely" right out of the "box". Kmail is one example. I'd like to see Apple put (good) support for digital signatures into Mail.App... that would probably do more to encourage many people to start using encryption keys in daily life... because Apple would integrate it relatively painlessly, I'm sure. Their GUI engineers are top-notch. > But that's just in answer to the points you raised. My original points > were: > > Who cares, this is the piclist and 99% of the people don't know or > really > care who the person is on the other end, they read for the content and > the > public discussion. The people that want to move forward after ten years of waiting on other mail clients to "do the right thing"? :-) I think that's where the original poster was coming from. I, like you, have kinda "given up" on digital signatures, but I'm more than willing to jump on the bandwagon and remind folks that they really *should* be used. (But heck, I can't even get my company to stop shipping products with Telnet as their standard way to control them and replace it with SSH, like should have been done half a decade ago when the product was first released... so I'd say that even SIMPLE to replace items like that still carry a stigma of being "too hard" to use, which especially in the case of replacing telnet with SSH is asinine. So... how does one combat 30 other people's "opinion" that has no technical or logical merit? Chalk it up to "people are stupid" or just constantly cajole, remind, and train people that non-encrypted methods of remote access are wrong, wrong, wrong, wrong, wrong, oh... and did I mention... WRONG? Heh... oh well.) > Second, attachments should not be sent to the piclist except under > special > circumstances. Once you start allowing attachments, people will start > using "stationery" and other clever annoyances. What a waste of > bandwidth. > Want to put a digital signature on your message? Put it in the body of > the > message! Who cares if it's a "hack", you won't be adding an attachment, > and if anyone really cares, let them figure out how to make it work. > They > are, after all, smart people, correct? The RFC's cover both ways of digitally signing. If you look at the raw differences between in-line ASCII-armored PGP and S/MIME attached PGP signatures, you'd see there's probably little difference in size. The only additional actual data transmitted in the S/MIME version would be the MIME headers. I agree with you on this one... to a point. Since no one can agree with the RFC's for S/MIME, good mailers should handle both inline and S/MIME attached signatures. Some already do. > Just my .02, of course. I am all for encryption and digital signatures, > but only when it works, which it doesn't for 99% of the people. It'll only work if people just start using them. I'm just as bad as the next guy... I don't sign things with my keys either, even though I went through the steps to publish them a long time ago on MIT's public key server. Ah well... I wasn't meaning to debate whether or not crypto e-mail signatures are useful or not. I was more stating fact that if they were used a number of other good results happen. (Example... rejecting all e-mail with an invalid signature and grey-listing (quarantine) any e-mail from someone who signed but that you haven't put in your "okay to receive from" list would cut spam massively... next step after that is not to accept mail from any stmp server that doesn't do STARTTLS and has a valid SSL key... wouldn't take too long to put spam back in the can if business and government required these items in order to correspond with them.) Sorry, off on a big tangent here... must be Friday. Back to work! ;-) -- Nate Duehr, nate@natetech.com -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email listserv@mitvma.mit.edu with SET PICList DIGEST in the body