From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/22710
Path: main.gmane.org!not-for-mail
From: jari.aalto@poboxes.com (Jari Aalto+list.ding)
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Once again: PGnus & PGP
Date: 21 Apr 1999 18:49:36 +0300
Sender: owner-ding@hpc.uh.edu
Message-ID: <tbemle0y9b.fsf@blue.sea.net>
References: <m3iub5miq8.fsf@peorth.gweep.net> <m3d81cpr9g.fsf@duchess.3b2.org> <19990411101448.A523@psyche.clear.net.nz> <m31zhqpo74.fsf@duchess.3b2.org> <871zhq5msx.fsf@psyche.evansnet> <m3r9ppon3j.fsf@duchess.3b2.org> <87u2ul4o5e.fsf@psyche.evansnet> <m3aewdob9e.fsf@duchess.3b2.org> <m1baewdshlg.fsf@blackbird.mitre.org> <m37lrho9ga.fsf@duchess.3b2.org> <19990412230326.A23570@diabolo.ndh.net> <m3hfqlv1mb.fsf@peorth.gweep.net> <tbogkjd0ry.fsf@blue.sea.net> <m3pv4z5s21.fsf@peorth.gweep.net> <87so9vf30e.fsf@pc-hrvoje.srce.hr> <m3emleete2.fsf@peorth.gweep.net> <vafso9ue8xk.fsf@ramses.cs.uni-dortmund.de> <tbg15u43aa.fsf@blue.sea.net> <99Apr21.102640edt.13846-3@gateway.intersys.com>
NNTP-Posting-Host: coloc-standby.netfonds.no
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="Multipart_Wed_Apr_21_18:49:29_1999-1"
X-Trace: main.gmane.org 1035160581 30781 80.91.224.250 (21 Oct 2002 00:36:21 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Mon, 21 Oct 2002 00:36:21 +0000 (UTC)
Keywords: x-pgp,pgp,signing,threat,model,usenet,messages,doesn,still,signature,message,mail
Return-Path: <owner-ding@hpc.uh.edu>
Original-Received: from farabi.math.uh.edu (farabi.math.uh.edu [129.7.128.57])
	by sclp3.sclp.com (8.8.5/8.8.5) with ESMTP id LAA11968
	for <jason@mailhost.sclp.com>; Wed, 21 Apr 1999 11:52:06 -0400 (EDT)
Original-Received: from sina.hpc.uh.edu (lists@Sina.HPC.UH.EDU [129.7.3.5])
	by farabi.math.uh.edu (8.9.1/8.9.1) with ESMTP id KAB10136;
	Wed, 21 Apr 1999 10:50:38 -0500 (CDT)
Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Wed, 21 Apr 1999 10:51:10 -0500 (CDT)
Original-Received: from sclp3.sclp.com (root@sclp3.sclp.com [204.252.123.139]) by sina.hpc.uh.edu (8.7.3/8.7.3) with ESMTP id KAA16063 for <ding@hpc.uh.edu>; Wed, 21 Apr 1999 10:50:48 -0500 (CDT)
Original-Received: from axl01it.ntc.nokia.com (axl01it.ntc.nokia.com [131.228.118.232])
	by sclp3.sclp.com (8.8.5/8.8.5) with ESMTP id LAA11874
	for <ding@gnus.org>; Wed, 21 Apr 1999 11:50:30 -0400 (EDT)
Original-Received: from zeus.ntc.nokia.com (zeus.ntc.nokia.com [131.228.134.50]) by axl01it.ntc.nokia.com (8.8.5/8.6.9) with SMTP id SAA09931 for <ding@gnus.org>; Wed, 21 Apr 1999 18:48:39 +0300 (EET DST)
Original-Received: from tre.ntc.nokia.com (styx.ntc.nokia.com [131.228.169.57]) by zeus.ntc.nokia.com (8.6.4/8.6.4) with ESMTP id TAA04757 for <ding@gnus.org>; Wed, 21 Apr 1999 19:01:28 +0300
Original-Received: by tre.ntc.nokia.com
	(1.39.111.2/16.2) id AA087349777; Wed, 21 Apr 1999 18:49:37 +0300
Original-To: Ding mailing list <ding@gnus.org>
X-Sender-Info: Emacs tiny tools: http://www.netforward.com/poboxes/?jari.aalto
  PGP 2.6.x keyid 47141D35 http://www.pgp.net/pgpnet/
User-Agent: WEMI/1.13.3 (Yaizu) FLIM/1.12.3
  (=?iso-8859-1?q?Kintetsu-K=F2riyama?=) Emacs/20.3 (hppa1.1-hp-hpux10.01) MULE/4.0 (HANANOEN)
In-Reply-To: Stainless Steel Rat's message of "Wed, 21 Apr 1999 10:29:54 -0400"
Original-Lines: 126
Precedence: list
X-Majordomo: 1.94.jlt7
Xref: main.gmane.org gmane.emacs.gnus.general:22710
X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:22710

--Multipart_Wed_Apr_21_18:49:29_1999-1
Content-Type: text/plain; charset=US-ASCII

* Wed 1999-04-21 Stainless Steel Rat <ratinox@peorth.gweep.net> list.ding
* Message-Id: <99Apr21.102640edt.13846-3@gateway.intersys.com>
| | In newsgrousp it was never a problem and you will find many of my X-pgp
| | signed messages posted in gnu group somewhere 1995-1997. I bet they still
| | can be verified today acconding to X-pgp spec.
| 
| So, the numerous *USENET* control messages signed with X-pgp that I could
| not validate are just a figment of my imagination.  I have had a 100%
| failure rate with X-pgp in exactly the environment you believe works 100%.
| That is why I say X-pgp is a bad standard and recomend that anyone using it 
| be smacked upside the head with a large, heavy object.

We talk about different X-pgp's. The X-pgp I'm referring to is
the formalised description that addressed the problem you described
(spaces). It is not the same X-pgp that you learnt to know at the start of
X-pgp era.

The X-pgp I formalised was never meant to be an full replacement of PGP
and that was stated all over the document. It was offered as alternative way 
to reduce the ugly PGP blocks cluttering the body eg when relying to 
mail. Moving the signing information to headers made the PGP "good citizen"
again in Newsgroups and mailing lists while still gaining the advantages
of PGP signing. 

For entertainment, here is quote from the now expired document, please
don't take that too seriously, since PGP/MIME is here finally.

jari


--Multipart_Wed_Apr_21_18:49:29_1999-1
Content-Type: text/plain; charset=US-ASCII



17.0 E APPENDIX -- attacks against not using x-pgp at all

    17.1 We have our own personal threat models

        Before you read further, let's discuss about the threat model
        a bit. The model defines the security (or paranoid) level
        you want to take when using the pgp. Here are couple of examples
        of threat models that describe how people feel about signing.
        The level numbers are presented for clarity reasons only, and
        are not part of any universal convention.

         Mike, threat model rate 10

          He believes that his every word must be protected against forgery
          and that's why he uses pgp for everything. he uses bas64 signing
          all the time because he doesn't trust that clear signing
          would be reliable enough when he sends text documents. He doesn't
          want to know a thing about x-pgp because it brings huge cracks to
          his threat model.

         John, threat model rate 9

          He talks to several big companies everyday and has used regular pgp
          signing for years. It has been proven very usefull and reliable
          way to discuss about things. One day he heard about X-pgp and
          based on his experince that one or two internet nodes node doesn't
          follow the RFC standards (some node discarded the X-headers) he
          decided not to use it. He wants reliability before everything.


         Andy, threat model rate 5-7

          He questionables the added value of pgp signature in his messages.
          After much of hype and everyday use, he starts to think that most
          of the poeple don't even verify his messages while it may have pgp
          signature attached. "To verify the message of an unknow person, I
          would have to fetch his key first and put it into keyring. Why
          should I bother if he isn't my close friend? If I think this
          way, so does other propably too, so what does the pgp signature
          really add to my message?". He still continues to use the
          pgp signing, but he doesn't get upset if he sends mail without
          signature (maybe he was on account that didn't have pgp at hand,
          or he just didn't care to send blocky pgp signature for
          2 line message.)

          When he sees x-pgp standard he starts to think that
          it may suit to his needs. "Yeah, I get rid of the blocky pgp
          noise in the body of message and I still have signing. Great."
          He knows about the possibe X-headers loosing, and that this
          propably never happen: this threat doesn't bother him. He starts
          using x-pgp due to added message clarity.

          Important: He does think the Usenet posts are a different matter
          than his private mail exchange between the other companies.
          He still uses Regular signing for highly important messages,
          but for not so important (usenet posts) he uses X-pgp.

         Joe, threat model rate 3

          He doesn't much believe that he should sign every mail,
          especially he thinks it is snobbish to sign Usenet articles:
          "Why do people do that _there_, do they really believe that the
          their words will be twisted. I haven't seen an Usenet node
          that would have modified article contents." While he
          prefer not to see the PGP noise in the Usenet posts, (his
          phone line is slow and he pays for every character he sees there)
          he understands that sometimes it is justified to sign highly
          important messages: political, announcements.

          He doesn't bother to sign Usenet articles, but he still thinks
          that signing in general sense is a good thing for private
          mail. Depending on the current content and destination of the
          message, he uses x-pgp or regular signing. X-pgp mostly when he
          talks to his frieds and Regular signing when sending important
          mail to customers and companies (well he actually would prefer
          encryption, but many compnies don't have PGP, so he just signs
          the messages.)

        Define your own threat model and examine X-pgp in that light. The
        X-Pgp is only an alternative way to *represent* the signature.
        Depending on your threat model, the possible side effects
        of utilizing x-pgp format may or may not bother you.





--Multipart_Wed_Apr_21_18:49:29_1999-1--