What method do *you* use for signing Usenet posts?

What method do *you* use for signing Usenet posts?

[Kirk Strauser]

[-- Attachment #1: Type: text/plain, Size: 1008 bytes --]

I've recently switched to Oort and PGG and have started signing all outgoing
messages.  I hadn't realized that people in some Usenet groups were going to
get seriously upset at my usage of PGP/MIME signatures ("Ack!  You're
sending us viruses!").  Now, I have every intention of continuing to sign my
mail and postings, but need some advice.  What method of signing should I
use?  I see three problems:

1) Some people freak out when they see attachments (silly Outlook Express
   users. :) ).

2) Some mailers and newsreaders freak out when they see attachments ("Hey, I
   know, I'll just display a blank message!").

3) Some people freak out when they see plaintext signatures inserted at the
   end of an email message ("Your computer must be broken because I couldn't
   read that last part of your email.").

Has anyone found a way to peacefully co-exist with people who get upset when
they see something they don't understand?
-- 
Kirk Strauser
In Googlis non est, ergo non est.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Josh Huber]

Kirk Strauser <kirk@strauser.com> writes:

> Has anyone found a way to peacefully co-exist with people who get
> upset when they see something they don't understand?

Really, if that's the goal, the only answer is to not sign your usenet
postings... :)

-- 
Josh Huber

Re: What method do *you* use for signing Usenet posts?

[Kirk Strauser]

[-- Attachment #1: Type: text/plain, Size: 502 bytes --]


At 2003-01-19T18:12:46Z, Josh Huber <huber@alum.wpi.edu> writes:

> Really, if that's the goal, the only answer is to not sign your usenet
> postings... :)

Well, I'd really prefer to avoid that method.  It's kind of the principal of
the thing: why should I be less interested in protecting my identity on
Usenet than on mailing lists? (note: I *did* see the smiley :) ).

Alternatively, is there a FAQ I can point complainers toward?
-- 
Kirk Strauser
In Googlis non est, ergo non est.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Vasily Korytov]

[-- Attachment #1: Type: text/plain, Size: 643 bytes --]

>>>>> "KS" == Kirk Strauser writes:

 KS> 2) Some mailers and newsreaders freak out when they see attachments
 KS>    ("Hey, I know, I'll just display a blank message!").

Correct, some Usenet readers are not MIME-compatible. Personally I try
not to use MIME on Usenet. If you want PGP in Usenet, better use the
RFC1991-compatible version.

 KS> 3) Some people freak out when they see plaintext signatures
 KS>    inserted at the end of an email message ("Your computer must be
 KS>    broken because I couldn't read that last part of your email.").

You can safely tell them: RTFM. And/or get a better newsreader. =))

---Vas

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Xavier MAILLARD]

[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

On Sun, 19 Jan 2003, Vasily Korytov uttered the following:

> >>>>> "KS" == Kirk Strauser writes:
>  
>   KS> 2) Some mailers and newsreaders freak out when they see
>   KS>    attachments ("Hey, I know, I'll just display a blank
>   KS>    message!").
>  
>  Correct, some Usenet readers are not MIME-compatible. Personally I
>  try not to use MIME on Usenet. If you want PGP in Usenet, better use
>  the RFC1991-compatible version.

Yup
  
>   KS> 3) Some people freak out when they see plaintext signatures
>   KS>    inserted at the end of an email message ("Your computer must
>   KS>    be broken because I couldn't read that last part of your
>   KS>    email.").
>  
>  You can safely tell them: RTFM. And/or get a better newsreader. =))

Argh ! You have preceded me :) It is exactly what I would have said ;-)

zeDek

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Kirk Strauser]

[-- Attachment #1: Type: text/plain, Size: 567 bytes --]


At 2003-01-19T20:03:49Z, deskpot@myrealbox.com (Vasily Korytov) writes:

> Correct, some Usenet readers are not MIME-compatible. Personally I try not
> to use MIME on Usenet. If you want PGP in Usenet, better use the
> RFC1991-compatible version.

Gotcha.  I don't know my way around PGG well enough yet to know how to do
so.  Can it do this?

> You can safely tell them: RTFM. And/or get a better newsreader. =))

Yeah, that did a *lot* to settle the flames I was receiving, let me tell
ya.  ;-)
-- 
Kirk Strauser
In Googlis non est, ergo non est.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Simon Josefsson]

Kirk Strauser <kirk@strauser.com> writes:

> At 2003-01-19T20:03:49Z, deskpot@myrealbox.com (Vasily Korytov) writes:
>
>> Correct, some Usenet readers are not MIME-compatible. Personally I try not
>> to use MIME on Usenet. If you want PGP in Usenet, better use the
>> RFC1991-compatible version.
>
> Gotcha.  I don't know my way around PGG well enough yet to know how to do
> so.  Can it do this?

Yup.  Click on "PGP Sign" instead of "PGP/MIME Sign", or use "pgp"
instead of "pgpmime" in the MML tags.

Re: What method do *you* use for signing Usenet posts?

[Vasily Korytov]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "KS" == Kirk Strauser writes:

 KS> At 2003-01-19T20:03:49Z, deskpot@myrealbox.com (Vasily Korytov) writes:
 >> Correct, some Usenet readers are not MIME-compatible. Personally I try not
 >> to use MIME on Usenet. If you want PGP in Usenet, better use the
 >> RFC1991-compatible version.

 KS> Gotcha.  I don't know my way around PGG well enough yet to know how to do
 KS> so.  Can it do this?

Surely. But PGG setup has nothing to do with it. Just remove `mime' from
the tag to sign the message (i.e. <#secure method=pgpmime
mode=sign>). You can see the result in this message -- I use Oort from
CVS and gpg.el (PGG should work as well).

 >> You can safely tell them: RTFM. And/or get a better newsreader. =))

 KS> Yeah, that did a *lot* to settle the flames I was receiving, let me tell
 KS> ya.  ;-)

Well, of course, the arguments differ greatly because of opponents. The
above is what I think -- and in every newsgroup or maillist, that has
something serious to do with computers, I would say the same. Maybe,
with the date of RFC1991 published too.

If the target auditorium does not want knowing anything, of course, it
would be such as: ``Don't worry and simply ignore that chunk. Frankly,
it's the digital signature (if you want, you can read more at
<http://www.pgpi.net/>[2] and <http://www.gnupg.org/>).[1]'' Note, that
this expression does not blame anyone -- when dealing with people,
knowing nothing, about subject, it may be the key moment. If they feel
interested, they may go to the URLs above, if they're still intrestedm
they will be asking: ``How do I manage having those cool digital
signatures?'' And it's the maximum, you can reach.

[1] It may be a good idea to include the short alike explanation in the
    signature, used for such newsgroups.

[2] I'm not sure, if I've misspelt the URL, and, unfortunately, can't
    check it at the moment.

- ---Vas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+KzJ5oPg1JPzYGEERAqD/AJ9O1fbj+l+nI8fen5cMm7UrBq4PUwCfdy6H
uCxRo0bb3WYm8OnvgpI9WlQ=
=BfIB
-----END PGP SIGNATURE-----

Re: What method do *you* use for signing Usenet posts?

[Andreas Fuchs]

Today, Vasily Korytov <deskpot@myrealbox.com> wrote:
>>>>>> "KS" == Kirk Strauser writes:
>  KS> Gotcha.  I don't know my way around PGG well enough yet to know
>  KS> how to do so.  Can it do this?
> 
> Surely. But PGG setup has nothing to do with it. Just remove `mime'
> from the tag to sign the message (i.e. <#secure method=pgpmime
> mode=sign>). You can see the result in this message -- I use Oort from
> CVS and gpg.el (PGG should work as well).

I wonder - why does the user have to decide such things? Would it not
make more sense to just specify the method and let gnus itself figure
out whether it should use mime or not (i.e. if there is a mime part, use
detached signatures, if not, use plain pgp)?


-- 
Andreas Fuchs, <asf@acm.org>, asf@jabber.at, antifuchs

Re: What method do *you* use for signing Usenet posts?

[Josh Huber]

Andreas Fuchs <asf@void.at> writes:

> I wonder - why does the user have to decide such things? Would it
> not make more sense to just specify the method and let gnus itself
> figure out whether it should use mime or not (i.e. if there is a
> mime part, use detached signatures, if not, use plain pgp)?

I really like this idea.  Way back in the day (okay, only about a year
ago, I think... :), I put in some logic which scans though the message
and decides whether or not to automatically insert a multipart signed
tag, or a part signed tag.

Prior to that, if you selected "sign" or "encrypt" it would only get
the first part in the case of a multi-part message. This could be
quite bad, and almost certainly was not what the user was expecting to
happen.

We could have some other tag, such as "pgpauto", which selected plain
PGP when there were no other attachments, but used pgp/mime if there
were.

The problem which arises from this (IMHO) is one of keybindings.  What
do we use?  I already don't like the fact that there are separate
keybindings for pgp and pgp/mime -- personally, I think there should
be one keyboard interface for signing/encrypting, and there should be
another variable which selects what style those commands use.

-- 
Josh Huber

Re: What method do *you* use for signing Usenet posts?

[Vasily Korytov]

[-- Attachment #1: Type: text/plain, Size: 1127 bytes --]

>>>>> "asf" == Andreas Fuchs writes:

 asf> Today, Vasily Korytov <deskpot@myrealbox.com> wrote:
 >> Surely. But PGG setup has nothing to do with it. Just remove `mime'
 >> from the tag to sign the message (i.e. <#secure method=pgpmime
 >> mode=sign>). You can see the result in this message -- I use Oort from
 >> CVS and gpg.el (PGG should work as well).

 asf> I wonder - why does the user have to decide such things? Would it not
 asf> make more sense to just specify the method and let gnus itself figure
 asf> out whether it should use mime or not (i.e. if there is a mime part, use
 asf> detached signatures, if not, use plain pgp)?

IMHO, the user _has_ to decide it. For example, I prefer PGP/MIME for
mail, but when I use PGP for Usenet (I usually don't, but that's another
story), I want RFC1991 PGP.

I can prefer having PGP/MIME for one recipient, and old style PGP for
another. It may be really useful, so why eliminating this option (why
removing options anyway -- it's the Outlook way, we all know, in what it
results)?

BTW, the behaviour, you want, can be made through hooks.

---Vas

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Andreas Fuchs]

Today, Vasily Korytov <deskpot@myrealbox.com> wrote:
>  asf> I wonder - why does the user have to decide such things? Would
>  asf> it not make more sense to just specify the method and let gnus
>  asf> itself figure out whether it should use mime or not (i.e. if
>  asf> there is a mime part, use detached signatures, if not, use plain
>  asf> pgp)?
> 
> IMHO, the user _has_ to decide it. For example, I prefer PGP/MIME for
> mail, but when I use PGP for Usenet (I usually don't, but that's
> another story), I want RFC1991 PGP.
> 
> I can prefer having PGP/MIME for one recipient, and old style PGP for
> another. 

IMHO, there is no way to prefer one over the other: If there are mime
parts in the message, it should be signed as a multipart, and if there
is no mime part in it, gnus should not put one in, for size and
compatibility considerations.

> It may be really useful, so why eliminating this option (why removing
> options anyway -- it's the Outlook way, we all know, in what it
> results)?

I don't intend to rename a common option, I only suggested that the
<secure> code be made to work as expected - secure a message and ensure
that most receipients (even outlook users, stupid email gateways which
don't grok mime) can read and decode it.

> BTW, the behaviour, you want, can be made through hooks.

Absolutely. But in my opinion, it's a reasonable default, so why not
make it one? (-:

-- 
Andreas Fuchs, <asf@acm.org>, asf@jabber.at, antifuchs

Re: What method do *you* use for signing Usenet posts?

[Vasily Korytov]

[-- Attachment #1: Type: text/plain, Size: 885 bytes --]

>>>>> "asf" == Andreas Fuchs writes:

 asf> Today, Vasily Korytov <deskpot@myrealbox.com> wrote:
 >> I can prefer having PGP/MIME for one recipient, and old style PGP for
 >> another. 

 asf> IMHO, there is no way to prefer one over the other: If there are mime
 asf> parts in the message, it should be signed as a multipart, and if there
 asf> is no mime part in it, gnus should not put one in, for size and
 asf> compatibility considerations.

Ha. Seems, you simply don't know much about ``compatibility
considerations''. Some MUAs only have the support for RFC1991, some --
only for 2015. So there's a good reason to specify it sometimes
manually.

Next, I prefer PGP/MIME, where it's possible -- because it's a much more
cleaner standard. Why can't I do so? Why should I be forced to use
RFC1991-style PGP only because you think it's the right choice?

---Vas

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Vasily Korytov]

[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]

>>>>> "VK" == Vasily Korytov writes:

>>>>> "asf" == Andreas Fuchs writes:
 asf> IMHO, there is no way to prefer one over the other: If there are mime
 asf> parts in the message, it should be signed as a multipart, and if there
 asf> is no mime part in it, gnus should not put one in, for size and
 asf> compatibility considerations.

 VK> Ha. Seems, you simply don't know much about ``compatibility
 VK> considerations''. Some MUAs only have the support for RFC1991, some --
 VK> only for 2015. So there's a good reason to specify it sometimes
 VK> manually.

Yeah, one thing more about ``compatibility considerations'' and ``broken
email gateways'', both mentioned by you. Well, I had a POP3 accound on
the M$ME server -- and this machine did weird things with PGP
signatures. The signed part was left, the signature was cut, the whole
former message was attached as application/ms-tnef -- having a normal
PGP-signed message on the SMTP input. So, the signatures were
practically deleted. But in RFC1991-style messages this stupid Exchange
couldn't find the text part -- and removed everything.

So, nothing is so simple. RFC1991 isn't the compatibility aid, as you
propose it to be.

---Vas

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Andreas Fuchs]

[-- Attachment #1.1: Type: text/plain, Size: 411 bytes --]

On 2003-01-19, Josh Huber <huber@alum.wpi.edu> wrote:
> We could have some other tag, such as "pgpauto", which selected plain
> PGP when there were no other attachments, but used pgp/mime if there
> were.

Did just that (and this message is a test of the function as well
(-:). Use `M-x mml-secure-message-sign-pgpauto' to sign messages; gnus
should figure the rest out by itseld.

Here is the patch:

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: mml-auto-signing.diff --]
[-- Type: text/x-patch, Size: 3379 bytes --]

Index: lisp/mml-sec.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/mml-sec.el,v
retrieving revision 1.18
diff -c -u -r1.18 mml-sec.el
--- lisp/mml-sec.el	2002/10/09 23:29:53	1.18
+++ lisp/mml-sec.el	2003/01/20 07:36:58
@@ -31,6 +31,7 @@
 (defvar mml-sign-alist
   '(("smime"     mml-smime-sign-buffer     mml-smime-sign-query)
     ("pgp"       mml-pgp-sign-buffer       list)
+    ("pgpauto"   mml-pgpauto-sign-buffer  list)
     ("pgpmime"   mml-pgpmime-sign-buffer   list))
   "Alist of MIME signer functions.")
 
@@ -40,6 +41,7 @@
 (defvar mml-encrypt-alist
   '(("smime"     mml-smime-encrypt-buffer     mml-smime-encrypt-query)
     ("pgp"       mml-pgp-encrypt-buffer       list)
+    ("pgpauto"   mml-pgpauto-sign-buffer  list)
     ("pgpmime"   mml-pgpmime-encrypt-buffer   list))
   "Alist of MIME encryption functions.")
 
@@ -49,6 +51,7 @@
 (defcustom mml-signencrypt-style-alist
   '(("smime"   separate)
     ("pgp"     separate)
+    ("pgpauto" separate)
     ("pgpmime" separate))
   "Alist specifying if `signencrypt' results in two separate operations or not.
 The first entry indicates the MML security type, valid entries include
@@ -118,6 +121,20 @@
   (or (mml2015-encrypt cont sign)
       (error "Encryption failed... inspect message logs for errors")))
 
+(defun mml-pgpauto-sign-buffer (cont)
+  (message-goto-body)
+  (or (if (re-search-backward "Content-Type: *multipart/.*" nil t) ; there must be a better way...
+	  (mml2015-sign cont)
+	(mml1991-sign cont))
+      (error "Encryption failed... inspect message logs for errors")))
+
+(defun mml-pgpauto-encrypt-buffer (cont &optional sign)
+  (message-goto-body)
+  (or (if (re-search-backward "Content-Type: *multipart/.*" nil t) ; there must be a better way...
+	  (mml2015-encrypt cont sign)
+	(mml1991-encrypt cont sign))
+      (error "Encryption failed... inspect message logs for errors")))
+
 (defun mml-secure-part (method &optional sign)
   (save-excursion
     (let ((tags (funcall (nth 2 (assoc method (if sign mml-sign-alist
@@ -148,6 +165,11 @@
   (interactive)
   (mml-secure-part "pgp" 'sign))
 
+(defun mml-secure-sign-pgp ()
+  "Add MML tags to PGP-auto sign this MML part."
+  (interactive)
+  (mml-secure-part "pgpauto" 'sign))
+
 (defun mml-secure-sign-pgpmime ()
   "Add MML tags to PGP/MIME sign this MML part."
   (interactive)
@@ -214,6 +236,11 @@
   (interactive)
   (mml-secure-message "pgpmime" 'sign))
 
+(defun mml-secure-message-sign-pgpauto ()
+  "Add MML tag to encrypt/sign the entire message."
+  (interactive)
+  (mml-secure-message "pgpauto" 'sign))
+
 (defun mml-secure-message-encrypt-smime (&optional dontsign)
   "Add MML tag to encrypt and sign the entire message.
 If called with a prefix argument, only encrypt (do NOT sign)."
@@ -231,5 +258,11 @@
 If called with a prefix argument, only encrypt (do NOT sign)."
   (interactive "P")
   (mml-secure-message "pgpmime" (if dontsign 'encrypt 'signencrypt)))
+
+(defun mml-secure-message-encrypt-pgpmime (&optional dontsign)
+  "Add MML tag to encrypt and sign the entire message.
+If called with a prefix argument, only encrypt (do NOT sign)."
+  (interactive "P")
+  (mml-secure-message "pgpauto" (if dontsign 'encrypt 'signencrypt)))
 
 (provide 'mml-sec)

[-- Attachment #1.3: Type: text/plain, Size: 79 bytes --]


Happy hacking,
-- 
Andreas Fuchs, <asf@acm.org>, asf@jabber.at, antifuchs

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Simon Josefsson]

Andreas Fuchs <asf@void.at> writes:

> I wonder - why does the user have to decide such things? Would it not
> make more sense to just specify the method and let gnus itself figure
> out whether it should use mime or not (i.e. if there is a mime part, use
> detached signatures, if not, use plain pgp)?

The user will ultimately have the control, but suggesting a useful
default would be good.

OK, what about a setting that makes Gnus always use the sign/encrypt
style of the original message?  It shouldn't be PGP specific, but
support S/MIME too, of course.

Another setting would be to make Gnus always sign outgoing mail using
the "most appropriate" setting.  The most appropriate setting would be
configurable, using a predicate like '(if multipart "pgpmime" "pgp")'
or "smime" or whatever the user prefers.

Making a variable that makes Gnus sign/encrypt outgoing mail based on
a regular expression matching the recipient is more tricky -- what to
do when several recipients are specified, and only one match?  Ideally
one unsigned and one signed message should be sent, to the appropriate
recipients, but there is no framework for this right now AFAIK.

Re: What method do *you* use for signing Usenet posts?

[Lars Magne Ingebrigtsen]

Andreas Fuchs <asf@void.at> writes:

> Did just that (and this message is a test of the function as well
> (-:). Use `M-x mml-secure-message-sign-pgpauto' to sign messages; gnus
> should figure the rest out by itseld.
>
> Here is the patch:

Looks nice.

Nobody has sent me the list of copyright assignments yet (hint, hint :-),
so I have to ask: Do you have FSF copyright assignments on file?

-- 
(domestic pets only, the antidote for overdose, milk.)
   larsi@gnus.org * Lars Magne Ingebrigtsen

Re: What method do *you* use for signing Usenet posts?

[Xavier MAILLARD]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

Andreas Fuchs <asf@void.at> writes:

>> Did just that (and this message is a test of the function as well
>> (-:). Use `M-x mml-secure-message-sign-pgpauto' to sign messages; gnus
>> should figure the rest out by itseld.
>>
>> Here is the patch:

>Looks nice.

>Nobody has sent me the list of copyright assignments yet (hint, hint :-),
>so I have to ask: Do you have FSF copyright assignments on file?

 Hum what are these copyrights ??
   larsi@gnus.org * Lars Magne Ingebrigtsen

zeDek

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: What method do *you* use for signing Usenet posts?

[Andreas Fuchs]

Today, Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:
> Andreas Fuchs <asf@void.at> writes:
> Looks nice.
> 
> Nobody has sent me the list of copyright assignments yet (hint, hint
> :-), so I have to ask: Do you have FSF copyright assignments on file?

I've signed papers for changes to Gnus. I think we should be fine (-:


-- 
Andreas Fuchs, <asf@acm.org>, asf@jabber.at, antifuchs

Re: What method do *you* use for signing Usenet posts?

[Andreas Fuchs]

Today, Andreas Fuchs <asf@void.at> wrote:
>> Nobody has sent me the list of copyright assignments yet (hint, hint
>> :-), so I have to ask: Do you have FSF copyright assignments on file?
> 
> I've signed papers for changes to Gnus. I think we should be fine (-:

Uh, make that "past and future" changes (:

-- 
Andreas Fuchs, <asf@acm.org>, asf@jabber.at, antifuchs

Re: What method do *you* use for signing Usenet posts?

[Lars Magne Ingebrigtsen]

Xavier MAILLARD <zedek@gnu-rox.org> writes:

>  Hum what are these copyrights ??

The FSF requires that all code in Emacs be assigned to the FSF.

-- 
(domestic pets only, the antidote for overdose, milk.)
   larsi@gnus.org * Lars Magne Ingebrigtsen

Re: What method do *you* use for signing Usenet posts?

[Lars Magne Ingebrigtsen]

Andreas Fuchs <asf@void.at> writes:

> I've signed papers for changes to Gnus. I think we should be fine (-:

Thanks; I've now applied the patch.

-- 
(domestic pets only, the antidote for overdose, milk.)
   larsi@gnus.org * Lars Magne Ingebrigtsen