On Fri, 09 Apr 2004 13:48:13 -0500, Alan Hicks wrote:

>> From what I've seen in here, the only people who are "victims" of this are
>> the people using PGP... Or perhaps a person that is truly just a genuine
>> asshole.

> Guy Macon isn't using PGP and the troll around here is trying to
> impersonate him through an anonymous re-mailer.

Well then, maybe he falls into the other category of "victim"?

>> Assuming you mean proving what was said using Google Groups, PGP would
>> have no bearing on it. The archives of Google Groups are pretty much
>> inaccessible for malicious editing, are they not?

> Your argument insludes a non-sequiter. Yes, the archives at
> groups.google.com are pretty much non-editable, which is partially the
> problem. A troll attempting to impersonate you is archived right along
> with your posts. It's easy to prove to others that these posts are
> signed by me and these others aren't. You don't have to edit the
> archives if you if you inject malicious material into the archives
> initially.

I see that point. Maybe you can clear something up for me then. I admit
to knowing little about PGP. What is to stop an impersonator from
cut-and-pasting your signature block at the bottom into a message that he
forges? It would look the same when it appeared in a forum such as this,
or in the Google Groups archives. How can you "prove" that you didn't
write something like that? For that matter, how can you "prove" that you
wrote something which you did actually write?

>> That's a little weak there. I mean what I say just as much, whether I
>> sign it or not, and I don't think anybody "believes" me more if I sign it.

> There you're wrong. I would believe you more if you digitally signed
> your data.

Perhaps you would, as you clearly are a supporter of PGP. I would guess
that you and the others who use it here account for less than 1% of the
people here. So what would I actually accomplish by using it?

>> Your signature delimiter is broken, and you should fix it.

> We have had this argument before. Digitally signed posts use that .sig
> delimeter.

Maybe "you" have had the argument before, but "we" haven't. I'll assume
that is so the signature block is not seen as part of the signature,
although I don't see what harm that would do it. A point on that though,
doesn't the fact that you use PGP violate an RFC about signature
delimiters, or at a minimum go against widely accepted "netiquette"? Not
trying to flame here, just asking what I see as valid questions.

--
If you're not on the edge, you're taking up too much space.
Linux Registered User #327951

Guy Macon <http://www.guymacon.com> wrote:

> Point well taken. If I decide to start signing my posts, it won't be
> because of the invalid reasons I gave above. I will do it because a
> bully is telling me not to.

Then it will already be too late, it's too late now as Keith so
eloquently points out. As he points out you could have started out
*always* signing, but any signed post now does not prove any specific
personal identity. In fact proving who you are now is a philosophical
exercise, not something you *can* achieve.
--
Two Ravens
"...hit the squirrel..."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, Dan C dared to utter,
> I see that point. Maybe you can clear something up for me then. I admit
> to knowing little about PGP. What is to stop an impersonator from
> cut-and-pasting your signature block at the bottom into a message that he
> forges?

Because the signatures are unique for each message. PGP (and therefor
GPG) works by using public/private key encryption. Anything encrypted
with the public key can only be decrypted by the private key. This is
regular encryption, used to keep the contents of a message secret. You
can also sign messages by placing an ASCII hash of your message at the
bottom of the post. This hash is created with your private key, and is
unique for each and every message you use. It is then decrypted by
anyone who wishes to do so with your public key. When the decryption
matches the contents of the post, you know you have a valid signature.
Copying the has from one post to the next will not work, because the
unencrypted hash won't match the contents.

> How can you "prove" that you didn't
> write something like that?

It's theorectically impossible to prove that you _didn't_ write
something. I for example could write something and not sign it.

> For that matter, how can you "prove" that you
> wrote something which you did actually write?

If you want to be 100% technical, I guess you can't prove beyond any
doubt that you wrote those posts, but you can prove that you are in
possession of the secret key that was used to sign those posts.

> Maybe "you" have had the argument before, but "we" haven't. I'll assume
> that is so the signature block is not seen as part of the signature,
> although I don't see what harm that would do it. A point on that though,
> doesn't the fact that you use PGP violate an RFC about signature
> delimiters, or at a minimum go against widely accepted "netiquette"?

Again, search this groups archives. PGP (the software) broke the "-- "
delimeter rule a long time ago, and hasn't yet fixed it. While GPG can
be made to use the proper .sig delimeter, PGP cannot then be used to
decrypt the private hash and verify that the post was signed by who
said they signed it. As for violating the RFC about signature length,
the RFC specifically says that signatures _should_ be kept to 4 line
maxs (note it doesn't require this, though I agree that 4 lines is a
good standard to hold by), but makes an exception for the hashes of
digital signatures.

> Not
> trying to flame here, just asking what I see as valid questions.

Duly noted. Your first posts came across as rather obnoxious. This one
did not.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAdxGjL3KiNGOqr6ERAjVVAKCkIONL1mFvCMo3HTTaXZ/7+vp8fwCglVeN
yW9r28ilf4jf2fYGuFs5Y0Q=
=21lu
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <1081543256.55423.0@dyke.uk.clara.net>, Two Ravens wrote:
> Guy Macon <http://www.guymacon.com> wrote:
>
>> Point well taken. If I decide to start signing my posts, it won't be
>> because of the invalid reasons I gave above. I will do it because a
>> bully is telling me not to.
>
> Then it will already be too late, it's too late now as Keith so
> eloquently points out.

I did? I can't remember.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD4DBQFAdx0qhVcNCxZ5ID8RAqEtAJY+6GhuPlS3pEYH+ruy7t JujZllAJ9o6PZh
NAtCTfJPG736VXSHgUi3ww==
=V838
-----END PGP SIGNATURE-----

Keith Keller wrote:

>> Then it will already be too late, it's too late now as Keith so
>> eloquently points out.
>
> I did? I can't remember.
>
> - --keith

You're quite right, it was Joost, my apologies to both of you, I was
conflating two answers in two threads. My only excuse is I've had a
*lot* of painkillers today.

However my contention, and Joosts', still stands, It's far too late for
any claim of, or use of GPG/PGP as an indication of, any personal
identity. Whilst it worked for +Chiron+, he was stuck with the GPG
until he adopted a new 'nom de plume'.
--
Two Ravens
"...hit the squirrel..."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Your GPG key has expired...just thought you might like to know

- --
RedBeard
redbeard at techdudez dot com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAd3FFoRwEKUynzjERAqdfAJ4u6RNgso9GgGrJipD2va CrX5Z71ACgiijo
g0F2GvYLH2ec2LEYFIQsKNY=
=da7X
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <40777149$0$157$892e0abb@auth.newsreader.octanews. com>, RedBeard wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Your GPG key has expired...just thought you might like to know

Please fetch the latest key from wwwkeys.us.pgp.net. (And next
time, please don't rely on the thread being intact when you're
speaking to someone directly--who is ''you'' in the above context?
Nobody would know without the rest of the thread.)

If it still doesn't work, you should email me directly (without
- -usenet) so that we don't bother the newsgroup with something
that's clearly offtopic.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQFAd3rZhVcNCxZ5ID8RAp5YAJ9ibp6vXJ0fqUDz6kx+Pu p+OuXyIQCfSJ2r
CrUXB8KsBf4dDSnUF1xNgqo=
=D4r3
-----END PGP SIGNATURE-----