lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040321031531.QZIP439081.fep01-mail.bloor.is.net.cable.rogers.com@BillDell>
From: full-disclosure at royds.net (Bill Royds)
Subject: NEVER open attachments

My problem with signed messages is that verification often doesn't work
since the key servers are often not in sync with public keys. For example,
here is GNUPG applied to message by Jim Richardson a little earlier today:


C:\temp>C:\GnuPG\gpg --keyserver "hkp://subkeys.pgp.net" --verify
signature.asc fD-signed.txt
gpg: Signature made 03/20/04 18:33:30  using DSA key ID 838058F6
gpg: Can't check signature: public key not found

So the value of signing your messages  doesn't really scale.
That is why S/MIME is used by most commercial MUA's. Even though you have to
pay for the certificate, you can pretty well guarantee that the public key
will be available when one needs to verify the message.



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Troy
Sent: March 20, 2004 8:43 PM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] NEVER open attachments

On Sat, 20 Mar 2004 11:54:34 +0100, Nico Golde <nion@....net> wrote:

> if many people here have the same problem i will not sign my mails in
> the future to this mailinglist in the hope that all can read my mails.
> regards nico

FYI, with my mailer, your emails show up as plain text message with an
attached signature file, so it's no problem for me if you sign them. I
usually ignore the signature but, if I need to verify a message, I can
pull the attachment out for verification.

-- 
Troy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ