[Gllug] Signing everything?
Richard Cottrill
richard_c at tpg.com.au
Wed Mar 20 12:23:17 UTC 2002
Say what you mean, and mean what you say :)
Glib comments aside I think that anyone suing for incorrect information
given in a LUG would be working VERY hard in court. A defamation suit would
get further in Australia (guilt is presumed), and perhaps here in the UK
too. As you've already alluded, even moderate forensic work will probably
find a pretty clear trail to your email unless you're very careful.
- Disclaimer: what follows is even more speculative than my usual. I expect
clarifications and outright criticism for questionable statements of fact.
This is security stuff and I want to figure out if my beliefs are based on
fact, or misunderstanding.
OTOH a private signature is more trustworthy the more it's identified with
its owner, hence so long as the private key is used to sign a 'working' key
(basically acting like a mini CA) then the private key's security is only
enhanced by using it as often as possible, and distributing it far and wide
(well a signature rather than the key itself obviously).
If the 'working' key that's used for day-to-day email is changed regularly
then the mail is secure, and so long as the 'root' private key doesn't
change then the system is secure, and the body of signed, trustworthy
documents makes it MUCH harder to forge, replace, or otherwise breach the
security of Alice or Bob, or whoever.
I'm trying to get my act together and set-up a system such as this, but I
find openssl is not the easiest thing to get my head around...
Richard
> -----Original Message-----
> From: gllug-admin at linux.co.uk [mailto:gllug-admin at linux.co.uk]On Behalf
> Of Rev Simon Rumble
> Sent: Wednesday, March 20, 2002 11:40 AM
> To: gllug at linux.co.uk
> Subject: [Gllug] Signing everything?
>
>
> I've noticed some people pgp/gpg sign _everything_ they write. Can
> some of those who do this explain to me their reason for doing so?
>
> I've considered doing so but then, having thought about it, decided it
> also could make one vulnerable. Does this not expose you to some
> liability if what you're saying is wrong? In court you could always
> say "I didn't say that" but if you digitally sign your emails, and
> have good key security, that would be a bit harder...
>
> Then again, I store all my sent mail so if it came to it, I guess they
> could look there and if a reported email exists in the sent mail
> files, it's likely I did send it...
>
> Thoughts?
>
> --
> Rev Simon Rumble <simon at rumble.net>
> www.rumble.net
>
> Democracy substitutes election by the incompetent many for
> appointment by the corrupt few.
>
> - George Bernard Shaw
>
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list