OpenPGP-signed messages on Usenet: current best practice - PGP

This is a discussion on OpenPGP-signed messages on Usenet: current best practice - PGP ; Greetings. Is there any consensus on the posting of OpenPGP-signed articles to non-binary newsgroups? Are they welcome or hated? Are they considered binary attachments? About what proportion of Usenet readers are using a newsreader that recognizes and correctly processes (i.e., ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: OpenPGP-signed messages on Usenet: current best practice

  1. OpenPGP-signed messages on Usenet: current best practice

    Greetings.

    Is there any consensus on the posting of OpenPGP-signed articles to
    non-binary newsgroups? Are they welcome or hated? Are they considered
    binary attachments? About what proportion of Usenet readers are using a
    newsreader that recognizes and correctly processes (i.e., verify the
    signature if PGP/GnuPG software is installed, otherwise ignore but
    indicate that a signature is present) PGP-signed articles?

    I know, for example, that Microsoft Outlook Express's handling of
    OpenPGP-signed mail is terrible -- it presents a blank message with both
    the text and digital signature parts as attachments, and doesn't identify
    the signature as a signature, so Outlook Express users often write me back
    saying, "I couldn't open your second attachment!". Does Outlook Express
    (or other popular newsreaders) do the same thing for signed newsgroup
    articles?

    Regards,
    Tristan

    --
    _
    _V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
    / |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
    (7_\\ http://www.nothingisreal.com/ >< To finish what you

  2. Re: OpenPGP-signed messages on Usenet: current best practice

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Tristan Miller wrote in
    news:1214341.butq5FYBAf@ID-187157.News.Individual.NET:

    > Greetings.
    >
    > Is there any consensus on the posting of OpenPGP-signed articles to
    > non-binary newsgroups? Are they welcome or hated? Are they considered
    > binary attachments? About what proportion of Usenet readers are using a
    > newsreader that recognizes and correctly processes (i.e., verify the
    > signature if PGP/GnuPG software is installed, otherwise ignore but
    > indicate that a signature is present) PGP-signed articles?
    >
    > I know, for example, that Microsoft Outlook Express's handling of
    > OpenPGP-signed mail is terrible -- it presents a blank message with both
    > the text and digital signature parts as attachments, and doesn't
    > identify the signature as a signature, so Outlook Express users often
    > write me back saying, "I couldn't open your second attachment!". Does
    > Outlook Express (or other popular newsreaders) do the same thing for
    > signed newsgroup articles?


    I can only give my two cents on this.

    People in non-PGP related newsgroups don't want to be bothered with PGP
    signed messages at all. They find it irritating, and don't understand any
    reason for it.

    When you refer to OpenPGP and attachments, I think you are referring to use
    of PGP/MIME? While I am a big time PGP fan, and use inline clearsigning in
    PGP newsgroups and email lists, I personally dislike attachments of any
    kind - if people use secure software (for this purpose, I am largely
    thinking non-Microsoft) and don't open attachments that they don't have
    really good reason to believe are safe, viruses, etc., would be much less
    of a problem.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: PGP FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBRBq8XWDeI9apM77TAQLjMgf/YGZrDU1bUAVtKiHy1vFTduyyhFiWMcYu
    GO72KI6ZZuNg2Jjoq+V/pxggab+flWP3puBoNezUfzQtlJtRVT0V5fhjVJZLKLeZ
    Z92VG9Eyc4o9l5xuSsEVZFILsVYcTQCSQ9UWOKhssxupmw9VTJ MQyz3vyotKH3lu
    PO6TYRXNVSwj6AHnGgdAQ4pzfyojrsCfjJ1yFJiW+X2yjyLN9C sGMWl+1ignLe1d
    d8QX47FHJKwWittDnBI/hBdN/Xt/sUj8DS89bQHYlmRXDW8EPhshShHf9lHx7IZR
    Gm6DXqsvb1GF0jPx0MyKCnFZVYmWLVIsIRy/WWLnr2MwO/Qhegw7sw==
    =N9cK
    -----END PGP SIGNATURE-----

  3. Re: OpenPGP-signed messages on Usenet: current best practice



    Tristan Miller wrote:

    > Greetings.
    >
    > Is there any consensus on the posting of OpenPGP-signed articles to
    > non-binary newsgroups? Are they welcome or hated? Are they considered
    > binary attachments? About what proportion of Usenet readers are using a
    > newsreader that recognizes and correctly processes (i.e., verify the
    > signature if PGP/GnuPG software is installed, otherwise ignore but
    > indicate that a signature is present) PGP-signed articles?


    Like Tom, I use signatures in PGP or other security oriented newsgroups
    only. There will generally be a few complaints if used in other
    newsgroups where the importance of signing is not necessarily recognised
    and the readers think of it as unnecessary "clutter". If the
    authenticity of my postings were challenged, of course, I would sign
    every time.

    > I know, for example, that Microsoft Outlook Express's handling of
    > OpenPGP-signed mail is terrible -- it presents a blank message with both
    > the text and digital signature parts as attachments, and doesn't identify
    > the signature as a signature, so Outlook Express users often write me back
    > saying, "I couldn't open your second attachment!". Does Outlook Express
    > (or other popular newsreaders) do the same thing for signed newsgroup
    > articles?


    The issue of using PGP/MIME is a different one. There are very few mail
    clients capable of handling PGP/MIME as such, so it can tend to irritate
    anyone not using such a client. OE is the worst, of course, because, as
    you say, it doesn't display the text of the message at all - however, I
    figure anyone using OE doesn't know or care much about security anyway -
    or they wouldn't use it. The problem with using in-line signing is that
    it can too easily be damaged by mail clients which mangle the e-mail
    (Thunderbird - one of best e-mail clients, unfortunately does so) and
    that prevents the signature from verifying. This is so common that
    in-line signing should really be used only if all else fails.

    A couple of things make PGP/MIME less of a problem than previously.
    Firstly, PGP itself solves the problem with the advent of v 9.x, this
    should handle it OK. The second is that many people interested in
    security have switched away from PGP anyway to use GnuPG - which will
    handle PGP/MIME correctly. In combination with Thunderbird/Enigmail or
    other front ends for GnuPG this means that PGP/MIME is really not a
    problem, and since it is by far the best and most secure method, should
    be used as first choice.

    Regards,

    Bob

    --
    Remove "x" from address to reply by email


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEGsWK/yGczvugYoIRAjSsAJ9mK7WHuMnmRJRvf1SZRQcHLlvldACgvqw V
    jT8wVAJW6J8zdOhPq5cXngo=
    =+GBW
    -----END PGP SIGNATURE-----


  4. Re: OpenPGP-signed messages on Usenet: current best practice

    Tristan Miller wrote:
    > Greetings.
    >
    > Is there any consensus on the posting of OpenPGP-signed articles to
    > non-binary newsgroups? Are they welcome or hated? Are they considered
    > binary attachments? About what proportion of Usenet readers are using a
    > newsreader that recognizes and correctly processes (i.e., verify the
    > signature if PGP/GnuPG software is installed, otherwise ignore but
    > indicate that a signature is present) PGP-signed articles?
    >
    > I know, for example, that Microsoft Outlook Express's handling of
    > OpenPGP-signed mail is terrible -- it presents a blank message with both
    > the text and digital signature parts as attachments, and doesn't identify
    > the signature as a signature, so Outlook Express users often write me back
    > saying, "I couldn't open your second attachment!". Does Outlook Express
    > (or other popular newsreaders) do the same thing for signed newsgroup
    > articles?
    >
    > Regards,
    > Tristan
    >


    I only sign newsgroup messages when the authenticity is important.
    Early in 1998, I was an official proponent of the proposed
    reorganization of a Usenet newsgroup. The discussion of this proposal
    (via newsgroup messages) was more than vigorous or even heated. At
    times, it was nasty and vitriolic.

    During that discussion, messages began to appear in which I indicated a
    change of mind. According to these messages, I now opposed the proposal.
    These messages were, of course, fakes with forged headers that used my
    E-mail address. I quickly halted this fraud. I sent a message to the
    newsgroup to alert the participants that fake messages were appearing
    under my name. This message, however, was signed with my PGP key. The
    text warned others that any message without my signature was a fake; it
    also described how to obtain my PGP key. The warning informed the other
    participants that, not only should they look for the signature, but they
    should also verify it to ensure that no one else had altered the message
    and that no one attempted to submit a forged message after copying my
    signature from another, authentic message that I had signed.

    --

    David E. Ross


    Concerned about someone (e.g., Pres. Bush) snooping
    into your E-mail? Use PGP.
    See my

  5. Re: OpenPGP-signed messages on Usenet: current best practice

    Yeah I quickly realized that the best thing is to avoid PGP/MIME for the
    time being. Anybody without a PGP/MIME capable client will not be able
    to read ANY of your message.

    At least if you use an inline signature, all they have to do is ignore
    the top two lines of text.

    Also, you can't do PGP/MIME S/MIME at the same time.

    So if you want to sign with both PGP and a Certificate, you are FORCED
    to use Inline PGP.

    Until PGP/MIME finds it's way into more e-mail clients standard, you
    might as well just stick with inline.

    If someone wants to whine about the top two lines, let em, lol.

    It would be nice if Thunderbird supported PGP OOB, but even with the
    extension you still have to install GnuPG.



    Tristan Miller wrote:
    > Greetings.
    >
    > Is there any consensus on the posting of OpenPGP-signed articles to
    > non-binary newsgroups? Are they welcome or hated? Are they considered
    > binary attachments? About what proportion of Usenet readers are using a
    > newsreader that recognizes and correctly processes (i.e., verify the
    > signature if PGP/GnuPG software is installed, otherwise ignore but
    > indicate that a signature is present) PGP-signed articles?
    >
    > I know, for example, that Microsoft Outlook Express's handling of
    > OpenPGP-signed mail is terrible -- it presents a blank message with both
    > the text and digital signature parts as attachments, and doesn't identify
    > the signature as a signature, so Outlook Express users often write me back
    > saying, "I couldn't open your second attachment!". Does Outlook Express
    > (or other popular newsreaders) do the same thing for signed newsgroup
    > articles?
    >
    > Regards,
    > Tristan
    >


    --
    Matt Westfall
    Owner / Operator
    FiftyPounds Internet
    http://www.fiftypounds.com

    This message is digitally signed with Pretty Good Privacy (PGP)
    Info: http://en.wikipedia.org/wiki/Pretty_Good_Privacy

  6. Re: OpenPGP-signed messages on Usenet: current best practice

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Matt Westfall wrote in
    news:BMidnaO2i_YEk9XZRVn-rw@comcast.com:


    > Until PGP/MIME finds it's way into more e-mail clients standard, you
    > might as well just stick with inline.



    I am definitely not a fan of PGP/MIME (mostly because I don't like/trust
    email attachments). However, one of the really nice things about PGP 9.x
    is that the email proxy makes just about all email clients PGP/MIME
    compatible.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Desktop 9.0.6 (Build 6060)
    Comment: My PGP FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBREgaVGDeI9apM77TAQOr9Qf/daPGUj2q9dm9U6WvMSAUzUcye7gFjA9s
    Lx6NuIwLq0t+973XVSClN7PKoDxMOphZriaQ9KwuM+bci7leFX 8LhqtjCzCB09MQ
    d13AEk0ILnlvpLUxrnE2rNzah8mPQnBoChjsTrmvs5pWzBQWe7 bVFgDkuQa7+TdV
    6KX1xbj1mmBYNthvmUVPrGaNjK4Sh1fhuLnY6zTJGxAo32Evtu 63gQvPp6TmZ7dI
    gI/Lg6+Q2s+bhHuv7orTG1BrkT5fz7F8yZyv0D57CTlXEfQG2f2lJ/g4pV3H3x17
    yQj8g/+aaUz4OVe1dzQuoh21gCPEBh35xp1WtdwQNjVrxZNGSQylFw==
    =0Zxs
    -----END PGP SIGNATURE-----

  7. Re: OpenPGP-signed messages on Usenet: current best practice

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    True tom True.

    I'm not trying to pay for PGP functionality though, lol.

    And actually, thunderbird makes the PGP/MIME stuff go away and it just
    turns it into a message and says "good signature" and / or "Decrypted"
    up top.

    Matt Westfall
    Owner / Operator
    FiftyPounds Internet
    http://www.fiftypounds.com

    This message is digitally signed with Pretty Good Privacy (PGP)
    Info: http://en.wikipedia.org/wiki/Pretty_Good_Privacy



    Tom McCune wrote:
    > Matt Westfall wrote in
    > news:BMidnaO2i_YEk9XZRVn-rw@comcast.com:
    >
    >
    >>> Until PGP/MIME finds it's way into more e-mail clients standard, you
    >>> might as well just stick with inline.

    >
    >
    > I am definitely not a fan of PGP/MIME (mostly because I don't like/trust
    > email attachments). However, one of the really nice things about PGP 9.x
    > is that the email proxy makes just about all email clients PGP/MIME
    > compatible.
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (MingW32)

    iD8DBQFESNnZb/8X6V5MpAURAkLQAKCyennJTySMWw80RNpFmpnCB2a1GACg0dOB
    UKYg7TC4XUk/RaeNP8y+JWI=
    =1S5d
    -----END PGP SIGNATURE-----

+ Reply to Thread