PGPsigs: the Choice of Con Artists

[Alan Connor]

I could create an identity, starting with say, an email address, in the
name of Timothy L. Sutton (tlsu...@hotmail.com), post on the Usenet for
a while, keep a low profile and pretend to be impressed with PGPsigs.

I could whip up a birth certificate and high school diploma (just
for starters) in that name (computers make such things childsplay) and
send them to anyone who asked. (they'd be able to contact the county where
it was allegedly issued and confirm that a person by that name was born
there, on that day. The local school would confirm that 'I' had graduated
on that year.

All this information is easily available. And since the fellow didn't
die in that county, there is no death certificate there....

I could get a snailmail address in that name in any major city,
with any mail sent there being forwarded to a PO box here (in a different
fake name) and vice-versa.

I could get the key signed by a whole lot of people.

Now THERE'S a system that would make any con artist's heart glow!

PGP really stands for: Pathetically Gullible Person

--
Alan C

[Alan Connor]

I could, in very short order, find the name of someone who was born in
a big city someplace, graduated from high school, then moved away
and died years later in a distant place.

With the aid of commonly available free software I could whip up fake
birth certificates and high school diplomas (using examples from the
city and high school in question as templates) that I could send to anyone
who asked.

I could then get an email address that resembled that name and use that
name on the Usenet for a while, keeping a low profile and pretending to
be impressed with PGPsigs.

I could easily acquire a snailmail address in another city
that SEEMED to be a street address, and have any mail sent to it forwarded
to a PO box (in another fake name) here, and vice-versa.

I could get the key signed by a whole lot of people, and they would have
a stake in insisting that I was who I said I was, because THEY signed the
key and THEIR reputations would be at stake.

-------------------------------------------------------------------------

[Keith Keller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2003-10-28, Alan Connor <zzz...@xxx.yyy> wrote:
[FUD snipped]

>
> I could get the key signed by a whole lot of people,

How would you do this? None of the FUD you posted would convince me to
sign someone's PGP key. Unless you paid me well to keep your secret.

- --keith

- --
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/nsgGhVcNCxZ5ID8RAuAQAJ94y4XPBQu5ToPRULibahfpb+ZRjwCbBgw3
N0krAbOaJzB1tc+9d4iWXLE=
=gdWs
-----END PGP SIGNATURE-----

[SINNER]

* Keith Keller Wrote in comp.os.linux.misc, on Tue, 28 Oct 2003 11:48:22 -0800:

> On 2003-10-28, Alan Connor <zzz...@xxx.yyy> wrote:
> [FUD snipped]

>> I could get the key signed by a whole lot of people,

> How would you do this? None of the FUD you posted would convince me to
> sign someone's PGP key. Unless you paid me well to keep your secret.

As frequent as he posts this drivel you could almost call it spam.

--
David | AGM Favorite Games - http://tinyurl.com/loec
Only adults have difficulty with childproof caps.

[DrMemory]

On Tue, 28 Oct 2003 11:48:22 -0800, Keith Keller
<kkeller...@wombat.san-francisco.ca.us> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 2003-10-28, Alan Connor <zzz...@xxx.yyy> wrote:
>[FUD snipped]
>>
>> I could get the key signed by a whole lot of people,
>
>How would you do this? None of the FUD you posted would convince me to
>sign someone's PGP key. Unless you paid me well to keep your secret.
>
>- --keith

So what convinces you, or anyone, to sign a PGP key? I know nothing
about this stuff, but assume it is somewhat analogous to a notarized
signature? As a notary, I either have known the signer personally for
several years, or else see some form of ID with a photo that matches
the face and a signature that matches the current one; otherwise, no
seal goes on the document. When I accept a notarized document, I do so
not only with the blind trust that other notaries follow the same
procedures, but also with the knowledge that the other notary has, as
do I, a bond on file with the government of his or her jurisdiction.

Can you tell us how (or if) these concepts map into the space of PGP
keys?

[Alan Connor]

On Tue, 28 Oct 2003 21:59:20 GMT, SINNER <99nesorjd@gates_of_hell.INVALID> wrote:
>
>
> * Keith Keller Wrote in comp.os.linux.misc, on Tue, 28 Oct 2003 11:48:22 -0800:
>
>> On 2003-10-28, Alan Connor <zzz...@xxx.yyy> wrote:
>> [FUD snipped]
>
>>> I could get the key signed by a whole lot of people,
>
>> How would you do this? None of the FUD you posted would convince me to
>> sign someone's PGP key. Unless you paid me well to keep your secret.

Exactly......Lots of folks would pay 10's of 1000's for the basis of a
false identity.

>
> As frequent as he posts this drivel you could almost call it spam.

Thanks for what you have done here: Evaded addressing any of the points in my
article and just calling me names like a grade-schooler.....

Hey! If you want to use a pgpsig, then go for it.

If you expect me or anyone with any intelligence to accept it as anything
but but proof that you have the pgp software,

then you are as intellectually impoverished as you seem to be.

--
Alan C this post ends with w
q

[James Keasley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <dqCnb.2031$bD3.60...@twister2.starband.net>, DrMemory wrote:
> On Tue, 28 Oct 2003 11:48:22 -0800, Keith Keller
><kkeller...@wombat.san-francisco.ca.us> wrote:

>>How would you do this? None of the FUD you posted would convince me to
>>sign someone's PGP key. Unless you paid me well to keep your secret.

> So what convinces you, or anyone, to sign a PGP key? I know nothing

> about this stuff, but assume it is somewhat analogous to a notarized
> signature? As a notary, I either have known the signer personally for
> several years, or else see some form of ID with a photo that matches
> the face and a signature that matches the current one; otherwise, no
> seal goes on the document. When I accept a notarized document, I do so
> not only with the blind trust that other notaries follow the same
> procedures, but also with the knowledge that the other notary has, as
> do I, a bond on file with the government of his or her jurisdiction.

> Can you tell us how (or if) these concepts map into the space of PGP
> keys?

Its pretty much the same, you sign someones key only if you know them
on sight, or if they present you with some photo ID[1] that matches the name
on the pgp/gpg key and provide the fingerprint.

However you can also assign a degree of trust to that signature that
relates to how much you trust the person whose key you signed to follow
a similar procedure, ranging from not at all to is a anally retentive
adherence to those procedures. This affects how much, if at all you
trust keys which a person whose key you have signed has also signed.

So while there isn't a central Authority, as such, you can decide how
much you trust other people to make sure that the key they are saying
actually belongs to who it says it does. You can decide to only trust
keys that you have signed after a face to face meeting and checking ID,
or you can decide to trust some or all of the people whose keys you have
signed to verify the identity of the owner, it just depends how paranoid
you are really.

- --
James jamesk[at]homeric[dot]co[dot]uk

"The future will be better tomorrow." - George W. Bush
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/nvkcqfSmHkD6LvoRAvzWAJ0bubUyfYQhSj6TIi3ue857y6MYpQCfcDEh
vt2lbbM6AFeOmGr/lMZZ3pY=
=R57v
-----END PGP SIGNATURE-----

[Alan Connor]

Sure. Except in very rare cases, they don't. And they are not required.

A few people have done this, and their signatures on a key are considered
to be valuable. Do they demand the same sort of documentation from the
people whose keys they sign? No.

Will they sign your key if you are a political or idealogical or commercial
enemy? No.

PGP, beyond the cryptography, is an elitist club and a purely political
construct.

[Andy Baxter]

This is the third seperate thread you've started on this topic since the
one you were discussing it in originally ended. It should be pretty
obvious by now that not everyone agrees with your point of view, so why
can't you just leave it be? To me, keeping on and on about something like
this is just as much a breach of netiquette (i.e. conventions people are
encouraged to follow to show respect for other posters and make good use
of the shared field of communication that is usenet) as the things that
you complain about. Does it matter whether you think that someone else
expects you to believe that PGP sigs are worth something, as long as you
know you don't?

andy

--
remove 'n-u-l-l' to email me. html mail or attachments will go in the spam
bin unless notified with [html] or [attachment] in the subject line.

[DrMemory]

On 28 Oct 2003 23:17:49 GMT, James Keasley <m...@privacy.net> wrote:
>
>However you can also assign a degree of trust to that signature that
>relates to how much you trust the person whose key you signed to follow
>a similar procedure, ranging from not at all to is a anally retentive
>adherence to those procedures.

Sort of like a notary signature ranging from being done with a #4
pencil, through ballpoint pen, to a bold magic marker...

>
>So while there isn't a central Authority, as such, you can decide how
>much you trust other people to make sure that the key they are saying
>actually belongs to who it says it does. You can decide to only trust
>keys that you have signed after a face to face meeting and checking ID,
>or you can decide to trust some or all of the people whose keys you have
>signed to verify the identity of the owner, it just depends how paranoid
>you are really.

So how does that affect me, the ultimate recipient of some signature
from a far-off corner of the world? How do I know it is genuine? What
if people who sign his key have absolutely no paranoia level? I
guess I better do some research on this....

[Andre Kostur]

drme...@starband.net (DrMemory) wrote in news:dqCnb.2031$bD3.602482789
@twister2.starband.net:

Same ideas go into signing a PGP key, and also depends on how widespread
you want your key to be "accepted". If you're working within an
organization for example, you would present yourself to HR, and they
could sign your key. That would make your key trusted within your
organiztion, but not necessarily outside your organization. (Perhaps a
partner org may trust your HR's signings, then again, maybe not). If you
want wider recognition, then you would have to go talk to larger security
orgs such as VeriSign, or Thawte, and see what sort of identity
verification you would need to go through in order for those
organizations to sign your keys. Once they sign, anybody who trusts
VeriSign (or Thawte, or whoever) would then trust your key. Note that
your key could be signed by multiple orgs (you could take your HR key and
have it signed by Thawte too.....).

[SINNER]

* Alan Connor Wrote in comp.os.linux.misc, on Tue, 28 Oct 2003 22:59:05 GMT:

Its comments like this that ruin your already non existent
credibility, you cant take criticism so resort to name calling, which I
DID NOT do but your obviously too dense to see that. (There is your name
calling for you.)

I don't use PGP and have no need for it, I just commented to add my
opinion to the mounting ones against your SPAM and stupidity.

You do all the things you claim others do but you seem to be above it
all, your nothing but a hack, but we all knew that, PLONK away.

--
David | AGM Favorite Games - http://tinyurl.com/loec

The church is near but the road is icy; the bar is far away but I will
walk carefully.
-- Russian Proverb

This line added to ensure PLONKing by the spamming lunitic known as AC

[Ed Murphy]

On Tue, 28 Oct 2003 23:50:35 +0000, DrMemory wrote:

> So how does that affect me, the ultimate recipient of some signature
> from a far-off corner of the world? How do I know it is genuine? What
> if people who sign his key have absolutely no paranoia level? I
> guess I better do some research on this....

It depends on how much you trust the signer(s), and you can make that
decision however you wish.

If Alice signs Bob's key, but you don't trust Alice, then you are by
no means forced to trust Bob.

[Alan Connor]

On Tue, 28 Oct 2003 23:32:58 +0000, Andy Baxter <ne...@earthsong.null.free-online.co.uk> wrote:
>
> This is the third seperate thread you've started on this topic since the
> one you were discussing it in originally ended. It should be pretty
> obvious by now that not everyone agrees with your point of view, so why
> can't you just leave it be? To me, keeping on and on about something like
> this is just as much a breach of netiquette (i.e. conventions people are
> encouraged to follow to show respect for other posters and make good use
> of the shared field of communication that is usenet) as the things that
> you complain about. Does it matter whether you think that someone else
> expects you to believe that PGP sigs are worth something, as long as you
> know you don't?
>
> andy

Well, if you really thought that, and had the integrity that you seem to
expect me to have.

Then you wouldn't have reponded to this thread.

So which is it? Are you pissed off because I thought your arguments earlier
were lame, or do you lack integrity?
As a matter of fact, I started this thread, PRECISELY because of bullshit
responses like this on the other one.

[Alan Connor]

Maybe you should note that almost no one has anyone but their buddies sign
their keys.

Why are you trying to give the impression that a distant ideal of PGP's is
a current reality?

That is VERY unethical.

And you should also note that no one HAS to use their key, and can just leave
it off, alter their headers, and do whatever they want, to then scurry back
to the shelter of their key and disavow whatever they've done.

PGPsig/keus are a very one-sided thing, forcing others to behave ethically
but not protecting anyone from the un-ethical behaviour of the key holder.

[Alan Connor]

On Wed, 29 Oct 2003 00:12:39 GMT, Andre Kostur <nntp...@kostur.net> wrote:
>
>

> drme...@starband.net (DrMemory) wrote in news:dqCnb.2031$bD3.602482789
> @twister2.starband.net:
>

You know, Andre Kostur of:

Organization: Incognito Software Inc.

It sure is convenient the way that "DrMemory" keeps feeding you straightlines.

I don't think he even exists.

I think these alleged conversations are pure theatre, staged by someone who
really doesn't want anyone to look closely at PGP.

[Keith Keller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2003-10-29, Alan Connor <zzz...@xxx.yyy> wrote:
>
> I think these alleged conversations are pure theatre, staged by someone who
> really doesn't want anyone to look closely at PGP.

They're being staged by Frank, Purl Gurl's stalker from clpmisc.
Nothing gets by you, Alan!

- --frank, er, keith

- --
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/n3XphVcNCxZ5ID8RAv1UAJ9Sb5NB6N6wYVcx5LcFckbi9O/FAgCeM4JS
uRLxxAv6Wpo4HxSP2cpImOk=
=UtIm
-----END PGP SIGNATURE-----

[Peter Köhlmann]

Alan Connor wrote:

Ah yes. You start a thread and do not expect anyone to answer. If someone
does, by default he "lacks integrity".
And you naturally had to start a new thread, because the other one was so
"contaminated" by BS. Sure.

You are the dumbest twit I ever encountered in this group
--
Howe's Law: Everyone has a scheme that will not work.

[Ed Murphy]

On Wed, 29 Oct 2003 05:59:14 +0000, Alan Connor wrote:

> And you should also note that no one HAS to use their key, and can just leave
> it off, alter their headers, and do whatever they want, to then scurry back
> to the shelter of their key and disavow whatever they've done.

Yeah, and guess what? Their disavowal falls flat, because they can't
prove that they *didn't* write that message.

PGP is designed to prove who *did* write PGP-signed messages. Kindly
stop blaming it for failing to do things that it was never designed to
do in the first place.

[Andy Baxter]

On Wed, 29 Oct 2003 05:59:09 +0000, Alan Connor wrote:

> On Tue, 28 Oct 2003 23:32:58 +0000, Andy Baxter <ne...@earthsong.null.free-online.co.uk> wrote:
>>
>> This is the third seperate thread you've started on this topic since the
>> one you were discussing it in originally ended. It should be pretty
>> obvious by now that not everyone agrees with your point of view, so why
>> can't you just leave it be? To me, keeping on and on about something like
>> this is just as much a breach of netiquette (i.e. conventions people are
>> encouraged to follow to show respect for other posters and make good use
>> of the shared field of communication that is usenet) as the things that
>> you complain about. Does it matter whether you think that someone else
>> expects you to believe that PGP sigs are worth something, as long as you
>> know you don't?
>>
>> andy
>
> Well, if you really thought that, and had the integrity that you seem to
> expect me to have.
>
> Then you wouldn't have reponded to this thread.

I do think that. It always annoys me when someone breaks a thread back
into the main list just to put their own point of view at the top. It's
not quite what you did - maybe you went away and thought about it and
decided to come back again, but it was enough like that that my first
reaction was to be pissed off you'd done this. I thought it would help to
point out that as far as I could see you were just pissing a lot of people
off and making a fool of yourself, and ask why it mattered to you that
much that you kept on doing this. Part of my integrity was that I tried
quite hard to avoid using some mean spirited put-down and just ask it as a
straight question.

> So which is it? Are you pissed off because I thought your arguments earlier
> were lame, or do you lack integrity?

Neither - the only earlier arguments I remember were about whether the 4
line sig rule made any sense. I still say that it doesn't matter that much
- to me the way you talk to people is more important than what you put in
your sig. If you really do have some personal experience of seeing
signatures grow into inflated monstrosities on some other group that you
cared about then talk about that instead of making up hypothetical
scenarios that seem ridiculous to me. I'd mostly forgotten about this
argument, but if I wasn't still annoyed by it, I guess I wouldn't have
just said this. The thing that pisses me off is you seem to be on such a
self-righteous ego-trip about how you're going to save everybody from the
evil PGP cabal, that you can't even listen to the arguments of people who
use it and reply to what they have said instead of what you think they're
saying.

> As a matter of fact, I started this thread, PRECISELY because of bullshit
> responses like this on the other one.

For what it's worth, my views on this at the moment are:

- you're right that PGP sigs look untidy - it would be better if they
could be put in the headers, but people can't easily do this until there's
some agreed convention for doing it properly, which is probably why they
end up in the body.
- They do offer some degree of protection against other people forging
your posts - if someone starts doing this then you can post a message
signed by you pointing it out, and people can compare it with all the
earlier posts you'd made if they want to check. If this happened to me, I
prefer to try to deal with it just through words, but if people want to do
it this way that's up to them as far as I'm concerned.
- I would be very wary of assuming that a PGP key implied anything certain
about a person's real world identity, for the sort of reasons you're
talking about, just as I would for any other document of this sort in real
life in situations when it might matter. But this is not relevant on
usenet - the issue is whether the same person is making posts under the
same name, not whether that is their real name. But I think most of the
people responding to your posts know that PGP sigs say nothing in
themselves about your real identity, and are just trying to point out the
ways they can be useful in spite of this, and how people try to make this
connection in a way they personally trust at times when it does matter.
- I think there are some situations where PGP signing can be very useful.
All the binary packages in the debian archive are signed with the same
key, which you can use to check whether the packages are genuine and
haven't been tampered with. If I was trying to set up a hardened system,
I'd probably bother to do this - I'm not, so I don't. Similarly, all the
package maintainers in the debian project have their own PGP keys which
they use for signing uploads to the ftp archive. The point here is the key
signings used for this purpose are specific to this purpose - it doesn't
matter that the people involved can prove to each other that they have a
given legal name; what matters is that enough of them know each other as
one individual to another that they can be sure that the same person who
they know, or who someone else on the project knows, is uploading a given
package. This is different from if you were talking to someone claiming to
be linus torvalds on the net and they tried to prove it to you by giving
you a PGP signature.
- If I was talking to someone I knew over email about something i wanted
to keep secret, I might consider using PGP signing and encryption to do
this. I've never had to do this or wanted to, so I don't.
- I remember a story from one of the chinese taoist writers about a load
of people in a small town who were worried that thieves might take the
gold and jewellery they had hidden in their houses. So they got together
and built a giant heavy safe-box to put it all in. One day a giant came
along and just walked off with the whole box - as far as he was concerned
they'd done him a favour by putting it all together in a neat package. I
think this story says something similar to the point you keep making, but
maybe the people you're talking to who are using PGP are less naive than
you're prepared to give them credit for.

andy.

[Alan Connor]

On Wed, 29 Oct 2003 09:20:10 +0000, Andy Baxter <ne...@earthsong.null.free-online.co.uk> wrote:
>
>
> For what it's worth, my views on this at the moment are:
>
> - you're right that PGP sigs look untidy - it would be better if they
> could be put in the headers, but people can't easily do this until there's
> some agreed convention for doing it properly, which is probably why they
> end up in the body.

Actually, quite a few people already limit their pgp sigs to their headers
and a legal sig.

Look around. The in-your-face sigs amount to nothing more than a commercial
for the program itself, and snobbery: I belong to the PGP Club, and you
don't.

They know perfectly well that 99.999% of the people can't even tell whether
their sig is even real or not.
z

> - They do offer some degree of protection against other people forging
> your posts - if someone starts doing this then you can post a message
> signed by you pointing it out, and people can compare it with all the
> earlier posts you'd made if they want to check. If this happened to me, I
> prefer to try to deal with it just through words, but if people want to do
> it this way that's up to them as far as I'm concerned.

I'd be a lot more impressed if PGPsigs guaranteed the good behavior of
it's user as well as that of others.

As it stands, they can leave it off if they want to, impersonate even
THEMSELVES if they want to.......

It protects them from us, but doesn't protect us from them.

Were it impossible for them to post without the pgpsig, the program would
be worth considering.

> - I would be very wary of assuming that a PGP key implied anything certain
> about a person's real world identity, for the sort of reasons you're
> talking about, just as I would for any other document of this sort in real
> life in situations when it might matter. But this is not relevant on
> usenet - the issue is whether the same person is making posts under the
> same name, not whether that is their real name.

The PGPsig does not prove that posts displaying them come from the same
person.

There is nothing at all in the system that prevents people from having
a half dozen and passing them around at will.

I think that the people on these groups are very intelligent, as a rule.
These are Linux Runners, my good man!

And one of the ways they display their intelligence is by staying away from
PGPsigs in DROVES,

all your sophistry aside.

>
> andy.
>
> --
> remove 'n-u-l-l' to email me. html mail or attachments will go in the spam
> bin unless notified with [html] or [attachment] in the subject line.

[Captain Dondo]

Alan Connor wrote:
>>So what convinces you, or anyone, to sign a PGP key? I know nothing
>>about this stuff, but assume it is somewhat analogous to a notarized
>>signature? As a notary, I either have known the signer personally for
>>several years, or else see some form of ID with a photo that matches
>>the face and a signature that matches the current one; otherwise, no
>>seal goes on the document. When I accept a notarized document, I do so
>>not only with the blind trust that other notaries follow the same
>>procedures, but also with the knowledge that the other notary has, as
>>do I, a bond on file with the government of his or her jurisdiction.
>>
>>Can you tell us how (or if) these concepts map into the space of PGP
>>keys?
>>
>
>
> Sure. Except in very rare cases, they don't. And they are not required.
>
> A few people have done this, and their signatures on a key are considered
> to be valuable. Do they demand the same sort of documentation from the
> people whose keys they sign? No.
>
> Will they sign your key if you are a political or idealogical or commercial
> enemy? No.
>
> PGP, beyond the cryptography, is an elitist club and a purely political
> construct.
>
>

Well, let's see. For me, in my state, all I need to get a legal
document signed is to get Notary Public to witness my signature. No ID
is required. All the Notary is attesting to is that s/he saw me sign
the paper. That makes it legal. The notary is not required to keep a
record of the transaction. To become a Notary, all you need is to have
a State legislator recommend you.

OTOH, for me to get Thawte to sign my certificate, I need a signed
statement from two professionals - an attorney, a CPA, or a bank manager
- stating that I presented two forms of major picture ID (a passport,
etc.) and that I am who I say I am. They need to be listed in the phone
book, and need to keep a record of the transaction so Thawte can verify
by phone (presumably they look up the phone number in the phone book
rather than trust whatever phone number is on the paper.)

To scam this would require a significant, long term, expensive effort.
I don't say that it's impossible, but think about it - two physical
addresses with commercial phone service, someone manning them for 30
days or longer, a listing in the phone book, etc.

Which certificate is more secure? The Notary Public-signed one or the
Thawte signed one?

-Dondo

--
What am I on?
I'm on my bike, o__
6 hours a day, busting my ass. ,>/'_
What are you on? --Lance Armstrong (_)\(_)

[Andy Baxter]

On Wed, 29 Oct 2003 10:29:05 +0000, Alan Connor wrote:

> And one of the ways they display their intelligence is by staying away from
> PGPsigs in DROVES,
>
> all your sophistry aside.
>

It's not sophistry - I'm saying what I think. That aside, I'll just let it
be and if you all want to carry on winding each other up over this, that's
up to you.

[Alan Connor]

More bullshit.

You and I and everyone else knows that almost no one with a pgpsig has
anything even CLOSE to your Thawte endorsement.

The people have spoken:

99.999% of the people on the Internet don't even care whether they can tell
if someone's pgpsig is real or not.

We keep going over the same tired and shabby arguments again and again.

Boring.

Can't you even TELL when you have had your ass kicked?

I'm killfiling you for 30 days, for the same reason that I don't answer my
door on Sundays unless someone has called in advance:

PGP cultists and Jehovah's witnesses just won't take no for an answer and
are boring as hell.

[Peter Köhlmann]

Alan Connor wrote:

< snip utter crap >

Idiot
--
Try to be the best of whatever you are, even if what you are is
no good.

[Alan Connor]

But the main reason I am killfiling you is that I think you are not
who you are pretending to be.

Or rather, I think you are the same person who has been using a number
of otherwise unseen-before names to post the same damned shoddy arguments
for PGPsigs, over an over.

Or to just sling abuse at me.

[Captain Dondo]

Alan Connor wrote:

>
> I'm killfiling you for 30 days, for the same reason that I don't answer my
> door on Sundays unless someone has called in advance:

Shit, dude, you kill-filed me last week for 60 days. Can't you even do
kill-files right?

Or did your kill-file script screw up - perhaps you wrote it yourself?
Or perhaps ed (remember, you read your posts with ed, one line at a
time) doesn't have a kill-file filter?

:-)

BTW, I've been posting as Captain Dondo for a number of years now....
My one and only usenet identity....

-Dondo

--
What am I on?
I'm on my bike, o__
6 hours a day, busting my ass. ,>/'_
What are you on? --Lance Armstrong (_)\(_)

This line added just to annoy AC :-)

[Ed Murphy]

On Wed, 29 Oct 2003 10:29:05 +0000, Alan Connor wrote:

> Actually, quite a few people already limit their pgp sigs to their headers
> and a legal sig.

Name one. Give a Message-ID!

> As it stands, they can leave it off if they want to, impersonate even
> THEMSELVES if they want to.......
>
> It protects them from us, but doesn't protect us from them.
>
> Were it impossible for them to post without the pgpsig, the program would
> be worth considering.

It's not *intended* to protect us from them. Stop blaming PGP for
failing to do something that it was never intended to do!

> The PGPsig does not prove that posts displaying them come from the same
> person.
>
> There is nothing at all in the system that prevents people from having
> a half dozen and passing them around at will.

PGP assumes that the possessor of a private key is not STUPID enough
to give it away. How is your own handcrufted system any less abusable?

[Molchun]

Alan Connor wrote:

>
> I could, in very short order, find the name of someone who was born in
> a big city someplace, graduated from high school, then moved away
> and died years later in a distant place.

So ???

> With the aid of commonly available free software I could whip up fake
> birth certificates and high school diplomas (using examples from the
> city and high school in question as templates) that I could send to anyone
> who asked.

Like how? Stop crying and get to the point.

> I could then get an email address that resembled that name and use that
> name on the Usenet for a while, keeping a low profile and pretending to
> be impressed with PGPsigs.

You can have any name you want. What does it prove? And what is your point
again?

> I could easily acquire a snailmail address in another city
> that SEEMED to be a street address, and have any mail sent to it forwarded
> to a PO box (in another fake name) here, and vice-versa.

I can pick my arse and pick my nose at the same time.

> I could get the key signed by a whole lot of people, and they would have
> a stake in insisting that I was who I said I was, because THEY signed the
> key and THEIR reputations would be at stake.
>

How exactly does that help you if you sign your key by hundreds of people?
They can insist whatever they want to insist but if I trust none of them
your key is as valid as a driving license with a picture of 3 year old girl
on it.

You've posted quite a few posts on PGP topic recently and I tried to avoid
the discussion 'cos I thought it was a silly one. I don't want to offend
you in any way but this is just getting stupid. You either refuse to
understand the concept for the sake of an argument or you really don't get
it. It's hard to figure out.
Some people were polite to explain you - you didn't listen to them and some
people were not that polite for the simple reason that you ignored the
polite ones.

You seem to have two problems: one is that you don't like the PGP signature
in other people posts and second is you don't get the social and technical
concepts of public key cryptography.
If somebody hits you with a solid argument on your second problem you just
quickly shift to the first and visa versa. Why? You either prove your
argument to the end or be a man and admit you're wrong.

OK. Your first problem.
1. If you don't like the PGP-signed posts filter them or killfile the
posters but, please, don't shout about it every time - *you do it for your
convenience only*, 99% of people here don't care if you killfile them,
you're just not that important.
2. PGP "signature" (note the quotes) is *NOT* part of the ordinarily mail or
usenet post signature. Just because they both called signature does not
mean they're related. The mail signature was used to include your email
address and other stuff that used to be mungled in the headers, now it's
used well, for anything you want and it's a good practice but *NOT* a must
to have your signature within 4 lines limit. So if you don't like people
with long signatures filter them out but, please, don't say that PGP
violates the 4-line convention 'cos it's got nothing to do with it.

Your second problem.
1. You can not forge (with current technology and computing power) the PGP
signature or break public key encryption. Whereas it's dead easy to forge
any official document. Trust me getting a passport of any nationality is
EASY now a days, it's much harder to forge the "trust" though.
2. Forging the PGP key ID does not give you anything!
Signing your forged ID by million of other keys *does not give you
anything* !
3. Suppose you create a key with my name and sign it by hundred other keys -
so what? If somebody checks the signature with the public key of the
key-pair you created and it checks out OK the only thing it proves is that
the item was signed by someone who created the key-pair or have access to
the private key. My name or any name on your key ID does not mean that it's
this name/person who created the key-pair or signed the item. Do you
understand this?
If I communicate with somebody and I know the person, he can have name
"dizzy" on his key ID, in fact, in some cases it's not a good idea to
present your real name on the key ID (for obvious reasons).
If I want to communicate with somebody I've never met before and information
is important then I'll meet the bugger and get the public key from him
directly, again he can have name "scooby" on his key ID, it's not important
since I've met him.
If I cant meet the person || information is not that important then I might
search for the key with the name that I assume belongs to the person I want
to talk to in which case I'll make sure the public key I find is generated
by the person I want to talk to and it's not compromised.
Read the PGP docs to find out how to do it but the first thing I would do is
check that the public key I have has been signed by people I know or at
least "trust", if you managed to buy the signatures of people that I trust
then they wouldn't be on my trust list, would they? :) The trust is a
relative thing, YOU manage your trust circle, you choose who you trust and
if you make a mistake the only one who pays for it is YOU. Again, it
depends on the importance of the information to be transmitted whether I
get the public key directly from the recipient or trust my "trusted list of
names".

The only thing public key cryptography guarantees (providing the key has not
been compromised) is that if an item is encrypted by a public key it can
only be decrypted by its other half - its private key and they both were
generated by a single person with whatever name, who gave the key-pair
whatever ID he wanted.
The same with the signatures but in reverse. It's about all I want from the
technology and it's about all I claim it does.
You can use this technology for authentication and identification.
The flaw in implementation does not mean the flaw in the technology.
It's up to you how you use/implement this technology. It's up to you how you
build your trust model.

Now think hard.

--
Jabber: mol...@jabber.org
PGP ID: 0x304563A8

[Molchun]

Alan Connor wrote:

They don't have to.
Thats why there are levels of trust and signature.
When you sign a key you're given an option to choose 1-5 about how sure you
are about the key in question. You assign 1-5 depending on the level of
checking you've done. On the basis of this people will decide whether to
trust your signature or not. Simple.
Sure, you can lie, you can do no checking at all and assign the highest
level as if you've checked everything including DNA but then who would
trust you? :) People would just ignore your signature.

> Will they sign your key if you are a political or idealogical or
> commercial enemy? No.

Why should they? Or why shouldn't they? What has this got to do with
politics?
I don't get this one. Must be tricky.

Any official government body can be bought and any official document can be
forged! And it's much easier then breaking public key cryptography LOL :)

> PGP, beyond the cryptography, is an elitist club

It could be if we want it to be.
I don't suppose you against people forming a unity around an idea they all
like and wish to share thoughts about. I don't suppose you have something
against communities?

Linux community
PGP community
Slackware community
Windows community
"Save the apes of the Earth" community
"Healthy way of living" community
"Stop stealing Iraqi oil" community
etc.

What's wrong with forming communities?
Are you jealous that you're not a part of any?

> and a purely political
> construct.

The last in my list could be political but PGP - nahhh.

[DrMemory]

On Wed, 29 Oct 2003 03:39:31 GMT, Ed Murphy <emur...@socal.rr.com> wrote:
>It depends on how much you trust the signer(s), and you can make that
>decision however you wish.
>
>If Alice signs Bob's key, but you don't trust Alice, then you are by
>no means forced to trust Bob.
>

So, to go back to the notary analogy, I have to know and trust at
least one of the notaries who has put a seal on the document, or I
have no way of knowing if the signature on the document is genuine?

[DrMemory]

On Wed, 29 Oct 2003 06:59:04 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>
>It sure is convenient the way that "DrMemory" keeps feeding you straightlines.
>
>I don't think he even exists.
>

Oh, I definitely exist, or think I do. If you think that someone
honestly asking questions in order to learn about a subject amounts to
"staging", then you have some paranoia issues. I suppose my post about
the "find -not -name '*'" (and which you were kind enough to attempt
to answer) was just another part of some elaborate ruse
to dupe you. Man, I am wilier than I had ever thought!

[Alan Connor]

[Ed Murphy]

Yeah, pretty much. I could take a signed document and write "Notary
Public" on it in red crayon, but it wouldn't convince any reasonable
person to trust the document's authenticity.

[Ed Murphy]

On Wed, 29 Oct 2003 18:29:05 +0000, Alan Connor wrote:

[nothing, after quoting approx. 100 lines]

Would you like an AOL CD? Look, it's *shiny*!

[Alan Connor]

On Wed, 29 Oct 2003 13:26:24 +0000, Molchun <mol...@REMOVEbluerealm.co.uk> wrote:
>
>
> Alan Connor wrote:
>
>>
>> I could, in very short order, find the name of someone who was born in
>> a big city someplace, graduated from high school, then moved away
>> and died years later in a distant place.
>
> So ???
>
>> With the aid of commonly available free software I could whip up fake
>> birth certificates and high school diplomas (using examples from the
>> city and high school in question as templates) that I could send to anyone
>> who asked.
>
> Like how? Stop crying and get to the point.
>

Just the sort of behavior that we have come to expect from PGPsig users.

Sure strikes me as odd to the extreme that the majority of people
defending PGPsigs here are names we have never seen before.

I think they are as phony as PGPsigs.

[Alan Connor]

On Wed, 29 Oct 2003 17:54:11 GMT, DrMemory <drme...@starband.net> wrote:
>

Another name that we never saw before the PGPsig debate.

Another phony identity being used to promote a program that is supposed
to prevent that very thing.

The irony is delicious.

[Alan Connor]

<chuckle>

Not to dupe ME, but rather to dupe EVERONE.

You may be quite legitimate, but most of the people that have been coming
to the ardent defense of PGPsigs are names that I can't find in the Archives
before these threads.

And "they" keep using the same arguments, over and over, as if no one had
heard and shot them down before.

[Peter Köhlmann]

Alan Connor wrote:

> On Wed, 29 Oct 2003 18:12:29 GMT, DrMemory <drme...@starband.net> wrote:
>>
>>
>> On Wed, 29 Oct 2003 06:59:04 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>>>
>>>It sure is convenient the way that "DrMemory" keeps feeding you
>>>straightlines.
>>>
>>>I don't think he even exists.
>>>
>>
>> Oh, I definitely exist, or think I do. If you think that someone
>> honestly asking questions in order to learn about a subject amounts to
>> "staging", then you have some paranoia issues. I suppose my post about
>> the "find -not -name '*'" (and which you were kind enough to attempt
>> to answer) was just another part of some elaborate ruse
>> to dupe you. Man, I am wilier than I had ever thought!
>>
>
> <chuckle>
>
> Not to dupe ME, but rather to dupe EVERONE.
>
> You may be quite legitimate, but most of the people that have been coming
> to the ardent defense of PGPsigs are names that I can't find in the
> Archives before these threads.
>

Just start to name a few. You can start with mine. I have *never* posted
under a different name. Not ever. Since years

> And "they" keep using the same arguments, over and over, as if no one had
> heard and shot them down before.
>
>

Kindly show us where they were shot down?

And when you're at it, would you explain why Debian uploads are signed by
PGP, when it is such a hoax? This is one of the arguments you *always* snip
to avoid answering it
--
If you're right 90% of the time, why quibble about the remaining 3%?

[Ed Murphy]

On Wed, 29 Oct 2003 18:59:04 +0000, Alan Connor wrote:

> Sure strikes me as odd to the extreme that the majority of people
> defending PGPsigs here are names we have never seen before.

A Google Groups search on Molchun's manged e-mail address indicates
that he's posted nearly four dozen messages here before, some dating
back to June. He's also popped up in alt.os.linux.slackware and
alt.games.unreal.tournament2003, among several others. So you really
should change "we have never seen before" to "Alan Connor has never
seen before".

In general, the appearance of lurkers in this thread wouldn't strike
me as odd in the least. When you're this thoroughly and stridently
wrong about a subject, you tend to pull lurkers out of the woodwork.

> I think they are as phony as PGPsigs.

And you're thoroughly and stridently wrong about both. If Molchun
is a pseudo, then he's an awfully elaborate one. The idea that one
or a few people would maintain *several* such elaborate pseudos,
just to combat *one* person (you) stridently running his mouth about
that which he doth not understand in the least, is laughable.

http://www.baetzler.de/humor/powerposting.html

1. Conspiracies abound: If everyone's against you, the reason can't
*possibly* be that you're a fuckhead. There's obviously a conspiracy
against you, and you will be doing the entire net a favor by exposing
it. Be sure to mention the CIA, FBI Oliver North and the Army as
co-conspirators.

[Ed Murphy]

On Wed, 29 Oct 2003 18:59:04 +0000, Alan Connor wrote:

> On Wed, 29 Oct 2003 17:54:11 GMT, DrMemory <drme...@starband.net> wrote:

> Another name that we never saw before the PGPsig debate.

Another name that YOU never saw. Google Groups says that he's been
around since February, and has posted a couple dozen messages to
various newsgroups.

Do you know what Google Groups is? Do you know what it does? Would
you like to start another thread (sorry, set of threads) about how
Google Groups is *also* a farce? Surely it's vastly inferior to your
"post validation" web site, which apparently can't handle <> characters
correctly. (But then again, neither can your news software. Which,
according to you, is 'ed'.)

[Molchun]

Alan Connor wrote:

> On Wed, 29 Oct 2003 13:26:24 +0000, Molchun
> <mol...@REMOVEbluerealm.co.uk> wrote:
>>
>>
>> Alan Connor wrote:
>>
>>>
>>> I could, in very short order, find the name of someone who was born in
>>> a big city someplace, graduated from high school, then moved away
>>> and died years later in a distant place.
>>
>> So ???
>>
>>> With the aid of commonly available free software I could whip up fake
>>> birth certificates and high school diplomas (using examples from the
>>> city and high school in question as templates) that I could send to
>>> anyone who asked.
>>
>> Like how? Stop crying and get to the point.
>>
>
> Just the sort of behavior that we have come to expect from PGPsig users.

What behavior? You mean all PGP users more or less intelligent enough to put
you down on your arse with a solid argument? Is that what you mean? If not,
please, elaborate so that I can apologize if I was wrong.

> Sure strikes me as odd to the extreme that the majority of people
> defending PGPsigs here are names we have never seen before.

How is that relevant?
Surely you want to defend your argument no matter who posts it "Matt" or
"Lizzy", human or AI. If you've never seen somebody it doesn't make his/her
argument less valid or does it?

> I think they are as phony as PGPsigs.

PGP signatures can not be phony only key IDs can as much as anything else in
life, passports, driving licenses, names, certificates. But it doesn't
matter, what matters is whether you trust those. Do you trust the passport
that has been shown to you? After carefull examination of the security
strip and the water signs you might or you might not.
Welcome to the real world! - Morpheus

Anyway, if that's all you can answer to my long post then it's really
pathetic and it pretty much shows it all! You could at list try and lose
like a man and learn something. Just don't start a new thread on this topic

As for my name, yes it's a nick and I've had it for a very long time.
How does that change the argument?

[Molchun]

Was that an agony of a dying chicken?

[Molchun]

Alan Connor wrote:

> On Wed, 29 Oct 2003 17:54:11 GMT, DrMemory <drme...@starband.net> wrote:
>>
>
>
> Another name that we never saw before the PGPsig debate.

And that matters how?

> Another phony identity being used to promote a program that is supposed
> to prevent that very thing.

You're clearly ignorant about what PGP is supposed to prevent.
After so many posts and after so many knowledgeable people trying to explain
it to you it still does not register.
Truly weird!

> The irony is delicious.

Exactly!

[Peter Köhlmann]

Molchun wrote:

> Alan Connor wrote:
>
>> On Wed, 29 Oct 2003 17:54:11 GMT, DrMemory <drme...@starband.net> wrote:
>>>
>>
>>
>> Another name that we never saw before the PGPsig debate.
>
> And that matters how?
>

Not at all. It is AC's way of finding another pretext to not argue the
points, because he has none and he knows exactly that he has no point

>> Another phony identity being used to promote a program that is supposed
>> to prevent that very thing.
>
> You're clearly ignorant about what PGP is supposed to prevent.
> After so many posts and after so many knowledgeable people trying to
> explain it to you it still does not register.
> Truly weird!
>

Not weird at all. He is a *very* little boy stomping with his feet, yelling
"it ain't so"
He is not yet mature enough to admit an error / admit ignorance etc etc

--
Experience is what causes a person to make new mistakes instead of
old ones.

[Roger Leigh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alan Connor <zzz...@xxx.yyy> writes:

> Maybe you should note that almost no one has anyone but their buddies sign
> their keys.

Here's part of my key (email addresses blanked out for obvious
reasons--you could always get my key if you wanted to see that badly).
It's signed by various Debian, RedHat, LUGers, and other Linux-related
people (both developers and enthusiasts). Just for laughs, I'll sign
this post, so you'll know this is really my key. If you had signed
the key of any of of these individuals, you could also verify its
authenticity.

$ gpg --list-sigs rleigh
pub 1024D/25BFB848 2001-01-26 Roger Leigh <######@######>
sig 3 25BFB848 2003-02-24 Roger Leigh <######@######>
sig 3 E643AF1E 2003-02-28 Ben Spencer (Regexp Ninja) <######@######>
sig 3 116521D9 2003-08-02 David Woodhouse (Insecure work key) <######@######>
sig 3 88C7C1F7 2003-06-25 Steve McIntyre <######@######>
sig C871E90F 2003-08-03 John Southern <######@######>
sig 3 243A1329 2003-08-02 David Woodhouse <######@######>
sig E2B5B8A8 2003-08-03 William Boughton <######@######>
sig 2 2BE16D01 2003-08-05 Moray Allan <######@######>
sig 2 5C6153AD 2003-08-05 Mark Brown <######@######>
sig 3 DA602822 2003-08-10 Andrew Stribblehill <######@######>
sig 3 68FD549F 2003-08-13 Martin Michlmayr <######@######>
sig 0464E7E5 2003-08-19 Philip Hands (old PGP key) <######@######>
sig AE437DE5 2003-08-17 Clive Jones <######@######>
sig DD9B9910 2003-08-19 Philip Hands <######@######>
sig 2 B7D86E0F 2003-08-18 Chris Boyle <######@######>
sig 2 76B8A43D 2003-08-18 Stephen Stafford <######@######>
sig 3 2FD8A73B 2003-08-17 Matthew Rowen <######@######>
sig 3 5BE86FB9 2003-08-18 Matthew James Johnson <######@######>
sig 3 5B430367 2003-08-21 Jonathan McDowell <######@######>
sig 3 84AD676C 2003-08-17 Scott James Remnant <######@######>
sig 3 3651D17A 2003-08-17 Robert Kendrick <######@######>
sig 590DB085 2003-08-21 Clive Jones (RSA) <######@######>
sig 518AE9C8 2003-08-17 Clive Jones <######@######>
sig BC1D5E08 2003-08-21 Clive Jones <######@######>
sig 3 B12D595A 2003-08-21 Regis Boudin (Houba) <######@######>
sig 2 DF81EE83 2003-08-21 Rob Bradford (robster) <######@######>
uid Roger Leigh <######@######>
sig 3 25BFB848 2001-01-26 Roger Leigh <######@######>
sig DED45912 2002-04-02 Paul Martin <######@######>
sig 3 E643AF1E 2003-02-28 Ben Spencer (Regexp Ninja) <######@######>
sig 3 116521D9 2003-08-02 David Woodhouse (Insecure work key) <######@######>
sig 3 88C7C1F7 2003-06-25 Steve McIntyre <######@######>
sig C871E90F 2003-08-03 John Southern <######@######>
sig 3 243A1329 2003-08-02 David Woodhouse <######@######>
sig E2B5B8A8 2003-08-03 William Boughton <######@######>
sig 2 2BE16D01 2003-08-05 Moray Allan <######@######>
sig 2 5C6153AD 2003-08-05 Mark Brown <######@######>
sig 3 DA602822 2003-08-10 Andrew Stribblehill <######@######>
sig 3 68FD549F 2003-08-13 Martin Michlmayr <######@######>
sig 0464E7E5 2003-08-19 Philip Hands (old PGP key) <######@######>
sig AE437DE5 2003-08-17 Clive Jones <######@######>
sig DD9B9910 2003-08-19 Philip Hands <######@######>
sig 2 B7D86E0F 2003-08-18 Chris Boyle <######@######>
sig 2 76B8A43D 2003-08-18 Stephen Stafford <######@######>
sig 3 2FD8A73B 2003-08-17 Matthew Rowen <######@######>
sig 3 5BE86FB9 2003-08-18 Matthew James Johnson <######@######>
sig 3 5B430367 2003-08-21 Jonathan McDowell <######@######>
sig 3 3651D17A 2003-08-17 Robert Kendrick <######@######>
sig 590DB085 2003-08-21 Clive Jones (RSA) <######@######>
sig 518AE9C8 2003-08-17 Clive Jones <######@######>
sig BC1D5E08 2003-08-21 Clive Jones <######@######>
sig 3 B12D595A 2003-08-21 Regis Boudin (Houba) <######@######>
sig 2 DF81EE83 2003-08-21 Rob Bradford (robster) <######@######>

> Why are you trying to give the impression that a distant ideal of PGP's is
> a current reality?

It *is* a current reality...amongst a certain set of people who make
it so. Signatures are not required to make PGP useful, but rather add
trust to its capabilities. The more people sign each others keys, the
more useful it becomes.

I'm not atypical amongst PGP users. I take my ID and GPG fingerprint
with me to meetings, conferences etc., and exchange signatures with
people I meet. Often, these are people I have corresponded with for
years, but never met in person. Although these often have no
immediate use, they become useful with future correspondence.

There is no cabal BTW. If you created a key and took your ID and
fingerprint around with you, I'm sure you would soon start getting
signatures. There's no politics involved--just being in the right
place at the right time. If you never meet anyone with a key, you'll
never sign anyones key, right?

> And you should also note that no one HAS to use their key, and can just leave
> it off, alter their headers, and do whatever they want, to then scurry back
> to the shelter of their key and disavow whatever they've done.

So what? I could post a [paper] letter without a signature, or I
could sign it. It's my choice. I have the same choice with PGP.

BTW, as another example of its use, the Debian Project uses PGP
signatures to validate votes in ballots and elections.

Regards,
Roger

- --
Roger Leigh

Printing on GNU/Linux? http://gimp-print.sourceforge.net/
GPG Public Key: 0x25BFB848. Please sign and encrypt your mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE/oY/NVcFcaSW/uEgRAqBfAKDgczqaEqqEyBvhQMPYfey50WKWXwCdEihB
KkS0RNiaJiHrBcAQc6KDf74=
=GnVR
-----END PGP SIGNATURE-----

[baskitcaise]

Roger Leigh wrote:

> - --
> Roger Leigh
>
> Printing on GNU/Linux? http://gimp-print.sourceforge.net/
> GPG Public Key: 0x25BFB848. Please sign and encrypt your
> mail.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
>
> iD8DBQE/oY/NVcFcaSW/uEgRAqBfAKDgczqaEqqEyBvhQMPYfey50WKWXwCdEihB
> KkS0RNiaJiHrBcAQc6KDf74=
> =GnVR
> -----END PGP SIGNATURE-----

Who`s going to get killfiled now you naughty person :)

I suppose I will now for re-posting the offending part of your post, Oh dear
what am I going to do.

--
Mark
Twixt hill and high water.
N.Wales, UK.
Email is spam trap try baskitcaise at gmx dot co dot uk

[Alan Connor]

On Thu, 30 Oct 2003 22:26:39 +0000, Roger Leigh <${roger}@invalid.whinlatter.uklinux.net.invalid> wrote:
>

killfiled for 90 days for willfully violating the 4-line sig rule.

(and for being boring, as all people are who have a pile of shit but have
been convinced by con artists that it is a gold necklace)

[Peter Köhlmann]

Alan Connor wrote:

> On Thu, 30 Oct 2003 22:26:39 +0000, Roger Leigh
> <${roger}@invalid.whinlatter.uklinux.net.invalid> wrote:
>>
>
> killfiled for 90 days for willfully violating the 4-line sig rule.
>
> (and for being boring, as all people are who have a pile of shit but have
> been convinced by con artists that it is a gold necklace)
>

How convenient for you. That way you don't have to actually answer anything
he posted, right? Because you can't without looking increasingly stupid

Don't worry, you are already known as the PGP-jerk. You very thorougly
trashed any credibility you might have had
--
Support your local Search and Rescue unit -- get lost.

[Lloyd Sumpter]

On Tue, 28 Oct 2003 19:33:57 +0000, Alan Connor wrote:

>
> I could, in very short order, find the name of someone who was born in
> a big city someplace, graduated from high school, then moved away
> and died years later in a distant place.
>

> With the aid of commonly available free software I could whip up fake
> birth certificates and high school diplomas (using examples from the
> city and high school in question as templates) that I could send to anyone
> who asked.
>

> I could then get an email address that resembled that name and use that
> name on the Usenet for a while, keeping a low profile and pretending to
> be impressed with PGPsigs.
>

> I could easily acquire a snailmail address in another city
> that SEEMED to be a street address, and have any mail sent to it forwarded
> to a PO box (in another fake name) here, and vice-versa.
>

> I could get the key signed by a whole lot of people, and they would have
> a stake in insisting that I was who I said I was, because THEY signed the
> key and THEIR reputations would be at stake.
>

> -------------------------------------------------------------------------
>
> Now THERE'S a system that would make any con artist's heart glow!
>
> PGP really stands for: Pathetically Gullible Person

Seems like a lot of work for not much gain. Why go to all this trouble for
a PGPsig? A birth cert., high-school diploma, address etc. should give you
driver's license, credit cards ...

Lloyd Sumpter

[Alan Connor]

On Fri, 31 Oct 2003 11:14:37 -0800, Lloyd Sumpter <lsum...@dccnet.com> wrote:
>>
>> PGP really stands for: Pathetically Gullible Person
>
> Seems like a lot of work for not much gain. Why go to all this trouble for
> a PGPsig? A birth cert., high-school diploma, address etc. should give you
> driver's license, credit cards ...
>
> Lloyd Sumpter
>

Sure. But my point is that the foundation of the alleged authentication provided
by a PGPsig/key is paper documentation, which in the age of the computer/
internet is nearly itself worthless.

And that the PGPsig would just be another tool in the con artist's toolbox,
being very easily acquired after the basic work was done.

What PGPsig/keys claim to do cannot to my knowledge be DONE in this medium
of smoke and mirrors.

---------

If a PGP cultists jumps in here with another boring iteration of "Oh you
don't really understand PGPsig/keys" I am going to barf.

They know and we know that they are expecting us to take that sig as some
kind of proof that they are more honest and trustworhy than the average
person.

Which just goes to show how naive they really are.

99.999% of the people on the Internet don't even care whether an apparent
PGPsig/key is real or not.

[Captain Dondo]

Alan Connor wrote:

>
> What PGPsig/keys claim to do cannot to my knowledge be DONE in this medium
> of smoke and mirrors.

All PGP claims to do is insure that a message, signed by a specific key,
a) has not been modified, and b) comes from the same source as any other
message signed by the same key.

It makes no claims to authenticate *who* the sender is, just to insure
that the sender is the same entity.

Are you entirely too dense to see that?

[Peter Köhlmann]

Alan Connor wrote:

> On Fri, 31 Oct 2003 11:14:37 -0800, Lloyd Sumpter <lsum...@dccnet.com>
> wrote:
>>>
>>> PGP really stands for: Pathetically Gullible Person
>>
>> Seems like a lot of work for not much gain. Why go to all this trouble
>> for a PGPsig? A birth cert., high-school diploma, address etc. should
>> give you driver's license, credit cards ...
>>
>> Lloyd Sumpter
>>
>
> Sure. But my point is that the foundation of the alleged authentication
> provided by a PGPsig/key is paper documentation, which in the age of the
> computer/ internet is nearly itself worthless.
>

Proclaim a better solution to validate the identity of someone <ou do not
know. What you always snip away is the part where you can sign the key of
people you *do* know and thereby build the web of trust.
What you also *always* snip is that Debian is maintained by uploads
PGP-signed. By that very method you claim is worthless

> And that the PGPsig would just be another tool in the con artist's
> toolbox, being very easily acquired after the basic work was done.
>
> What PGPsig/keys claim to do cannot to my knowledge be DONE in this medium
> of smoke and mirrors.
>

You got something right here. To YOUR knowledge. It can be safely assumed
that your knowledge in these matters is non-existant

> ---------
>
> If a PGP cultists jumps in here with another boring iteration of "Oh you
> don't really understand PGPsig/keys" I am going to barf.
>

Oh you don't really understand PGPsig/keys

> They know and we know that they are expecting us to take that sig as some
> kind of proof that they are more honest and trustworhy than the average
> person.
>

No. To my knowledge *noone* ever claimed that, except *you*

> Which just goes to show how naive they really are.
>

No. It just goes to show how very dishonest you are, since it was you who
claimed it

> 99.999% of the people on the Internet don't even care whether an apparent
> PGPsig/key is real or not.
>

And? Does it make a PGPsig invalid that way? And when you're at it, you can
surely provide some reference for that number, Alan?
--
Howe's Law: Everyone has a scheme that will not work.

[Andre Kostur]

Alan Connor <zzz...@xxx.yyy> wrote in
news:cazob.9860$RQ1....@newsread3.news.pas.earthlink.net:

> If a PGP cultists jumps in here with another boring iteration of "Oh
> you don't really understand PGPsig/keys" I am going to barf.

*Sigh* let's try this again...

> They know and we know that they are expecting us to take that sig as
> some kind of proof that they are more honest and trustworhy than the
> average person.

WRONG. Yet again. You don't take the sig (signing) as _any_ kind of proof
until you verify one or more of the keys which signed the user's key.

> Which just goes to show how naive they really are.

If this is so easy, please sign a posting here with a key that I'd trust.
Good luck.

> 99.999% of the people on the Internet don't even care whether an
> apparent PGPsig/key is real or not.

And 85% of statistics are completely made up on the spot.

[Alan Connor]

On Fri, 31 Oct 2003 20:50:50 GMT, Andre Kostur <nntp...@kostur.net> wrote:

Is that PGPsig on that mail or post a real PGPsig? Who can tell?

Almost no one has the software to even take it that far.

And do you know why, Andre?

Because they know that you and your PGP faddist buddies are full of shit
to your eyeballs.

[Keith Keller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2003-10-31, Andre Kostur <nntp...@kostur.net> wrote:
>
> If this is so easy, please sign a posting here with a key that I'd trust.
> Good luck.

Do you mean Alan generating his own key and getting someone you trust to
sign it, or do you mean Alan generating a post that appears to have been
signed by someone you trust? :)

If the latter, many others have asked him to do so, and he has
studiously avoided all such requests. He did at one point in
alt.os.linux.slackware start including bogus PGP headers, and even
claimed at one point that he *had* successfully made a post that would
fool gpg. So I suppose we know the skill level we're dealing with here.
He even claimed that nobody noticed that he was forging posts, when in
fact he'd already killfiled the people who noticed almost immediately.

But nobody verifies PGP sigs, right Alan?

- --keith

- --
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/ouEchVcNCxZ5ID8RAjqKAJ9gcWQ6jxMCoadTgUmqiUFSM5BEBQCaAr2c
/4XHQQJaw/Gz1HKpxavp0tI=
=P0eu
-----END PGP SIGNATURE-----

[Andre Kostur]

Keith Keller <kkeller...@wombat.san-francisco.ca.us> wrote in
news:uenunb...@goaway.wombat.san-francisco.ca.us:

> On 2003-10-31, Andre Kostur <nntp...@kostur.net> wrote:
>>
>> If this is so easy, please sign a posting here with a key that I'd
>> trust. Good luck.
>
> Do you mean Alan generating his own key and getting someone you trust
> to sign it, or do you mean Alan generating a post that appears to have
> been signed by someone you trust? :)

Either :) But I had actually meant the second :)

[Alan Connor]

Nice going. You have just admitted that you would not sign the key of
someone just because you don't like them.

Therefore, you would sign the key of someone who wasn't trustworthy
because you liked them.

And you wonder why people aren't impressed with PGPsigs?

-----------------

Now we are going to get to read 5 tons of bullshit about "the real reason
they wouldn't sign my key".

But it's way too late for that.

And the arrogance of these people is enough to make anyone GAG...

After I spend a week explaining why I think that PGPsigs are worth spit,

they still seem to think that I am going to be hurt by them saying that

they wouldn't sign my key!

And in so doing inadvertantly reveal the truth of one of my major criticisms:

PGPsig/keys have nothing to do with science beyond the cryptography. It is
an elitist club filled with arrogant fucking snobs.

----------------------

Andre, I'll bet you 1000 dollars that I could get a key and that you would
sign it.

Would it be under this name? No. Would I be using the same newsreader or
ISP? No.

All I would have to do is pretend that I thought PGPsigs were cool, let you
talk me into getting one, and then suck up to you for a while.

THAT'S how utterly worthless PGPsigs are.

[Peter Köhlmann]

Alan Connor wrote:

> On Fri, 31 Oct 2003 20:50:50 GMT, Andre Kostur <nntp...@kostur.net>
> wrote:
>
>
>
> Is that PGPsig on that mail or post a real PGPsig? Who can tell?
>
> Almost no one has the software to even take it that far.
>

Well, Alan, KNode for example (the newsreader I just now post with) has a
menu entry (one right click away) to check a PGP signature. It does not get
easier than that, and this is usenet, not email, where it would matter more
Just *try* to get your "facts" right, will you?

> And do you know why, Andre?
>
> Because they know that you and your PGP faddist buddies are full of shit
> to your eyeballs.
>

The only one I see here full of it is you. You do not know what and how to
do with PGP, so in your eyes it is worthless. You do not take into account
that your very limited knowledge is to blame here, not some imagined
shortcoming of PGP
--
No trees were destroyed in the sending of this message, however, a
significant number of electrons were terribly inconvenienced.

[Andre Kostur]

Alan Connor <zzz...@xxx.yyy> wrote in

news:eHCob.10347$Px2....@newsread4.news.pas.earthlink.net:

> On Fri, 31 Oct 2003 23:09:42 GMT, Andre Kostur <nntp...@kostur.net>
> wrote:
>>
>>
>> Keith Keller <kkeller...@wombat.san-francisco.ca.us> wrote in
>> news:uenunb...@goaway.wombat.san-francisco.ca.us:
>>
>>> On 2003-10-31, Andre Kostur <nntp...@kostur.net> wrote:
>>>>
>>>> If this is so easy, please sign a posting here with a key that I'd
>>>> trust. Good luck.
>>>
>>> Do you mean Alan generating his own key and getting someone you
>>> trust to sign it, or do you mean Alan generating a post that appears
>>> to have been signed by someone you trust? :)
>>
>> Either :) But I had actually meant the second :)
>>
>
> Nice going. You have just admitted that you would not sign the key of
> someone just because you don't like them.

Only in your mind did you read that. Nowhere in there did I say
_anything_ about me potentially signing your (or anybody elses) key.

> Therefore, you would sign the key of someone who wasn't trustworthy
> because you liked them.

I would suggest taking your formal logic courses over again. Assuming P
-> Q (where P == "I don't like a person" and Q == "I won't sign their
key") does not imply -P -> -Q (If I do like a person, I will sign their
key). It _does_ imply -Q -> -P (If I signed a key, I like the person),
but that argument hinges on the original assumption being true (which is
not universally true (the assumption), thus the argument is faulty).....

> And you wonder why people aren't impressed with PGPsigs?

Actually, I don't wonder that. Whether people are "impressed" with
PGPsigs or not is inconsequential to me. Whether PGPsigs provide a
useful service to me matters (to me). I wonder how you manage to make
these leaps of illogic, but that's a different story.

> -----------------
>
> Now we are going to get to read 5 tons of bullshit about "the real
> reason they wouldn't sign my key".

I have given no reasons or criteria on why I'd sign anybody's key.

> But it's way too late for that.
>
> And the arrogance of these people is enough to make anyone GAG...

Again, apparently just you. (Not that I'm claiming anybody here is
arrogant)

> After I spend a week explaining why I think that PGPsigs are worth
> spit,

... and failing to convince _anybody_ of your viewpoint .... (at least
nobody who has posted here) (quite honestly, I don't care whether your
viewpoint gets changed, I'm more concerned about innocent third parties
that may stumble upon your postings and get the wrong impressions).

> they still seem to think that I am going to be hurt by them saying
> that
>
> they wouldn't sign my key!

Nope. You are assigning maliciousness where none exists. I won't sign
your key, since you haven't even asked. You seem to think that people
will be hurt by you killfiling them too. Particularly for having an
allegedly "illegal" sig. (Funny, I can find no RFC which says that sigs
MUST be 4 lines or less. The closest I've seen is the GNKSA which only
lists the 4 lines restriction as a SHOULD not a MUST).

> And in so doing inadvertantly reveal the truth of one of my major
> criticisms:
>
> PGPsig/keys have nothing to do with science beyond the cryptography.
> It is an elitist club filled with arrogant fucking snobs.

Still only your opinion. So far I haven't seen anybody jump up and down
supporting your position.

> ----------------------
>
> Andre, I'll bet you 1000 dollars that I could get a key and that you
> would sign it.

Go ahead. Make your attempt. I also predict that even if you fail, you
won't cough up the 1000 dollars. Heck, you don't even need to pay it to
me... just donate it to the FSF or something. Please try. How do you
propose to prove to the rest of the world that you've either succeeded or
failed?

> Would it be under this name? No. Would I be using the same newsreader
> or ISP? No.

So what. Still waiting for you to try. (Hint: your newsreader and/or
ISP have _nothing_ to do with me signing your key. Your name might.)

> All I would have to do is pretend that I thought PGPsigs were cool,
> let you talk me into getting one, and then suck up to you for a while.

Feel free to try that approach. I _guarantee_ that won't be sufficient
(on its own) for me to sign any key that one may present me with. A
person's opinion of PGP wouldn't factor into my criteria for signing a
key.

> THAT'S how utterly worthless PGPsigs are.

Again, you still have not proved your point. All you have so far is "I
don't like them". However, other people have posted uses of PGPsigs in
practical and currently in-use situations. I'm afraid the evidence is
against you so far.

[Alan Connor]

On Sat, 01 Nov 2003 00:57:20 GMT, Andre Kostur <nntp...@kostur.net> wrote:

Andre, you are a fucking arrogant bully.

And it pleases me no end to watch you dig your own grave.

----------------

People aren't stupid. They can see that I hit a real nerve and that you
are scrambling to try to distract them with more bullshit.

Way to go.

Did I read this post? No. I heard it all before when you were posting
under a number of aliases.

[John Hasler]

Andre Kostur writes:
> You are assigning maliciousness where none exists. I won't sign your
> key, since you haven't even asked.

Same here. I would sign his key if he asked, arranged a meeting at my
convenience, and produced convincing credentials.

I would also assign him a very low level of trust due to his
misunderstanding of PGP.
--
John Hasler
jo...@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI

[Andre Kostur]

Alan Connor <zzz...@xxx.yyy> wrote in

news:l0Eob.10072$RQ1....@newsread3.news.pas.earthlink.net:

> On Sat, 01 Nov 2003 00:57:20 GMT, Andre Kostur <nntp...@kostur.net>
> wrote:
>
> Andre, you are a fucking arrogant bully.

Do explain where the arrogance and "bullying" is.

> And it pleases me no end to watch you dig your own grave.

Hope you enjoy the view.

> ----------------
>
> People aren't stupid. They can see that I hit a real nerve and that
> you are scrambling to try to distract them with more bullshit.

You are quite correct that people can draw their own conclusions.

> Way to go.
>
> Did I read this post? No. I heard it all before when you were posting
> under a number of aliases.

come, come... _you_ offered up $1000 if you could get a key signed by me.
I await your attempt(s).

[baskitcaise]

Andre Kostur wrote:

> come, come... _you_ offered up $1000 if you could get a key signed by me.
> I await your attempt(s).

Don`t hold your breath Andre, he has threatened to do this before and never
fullfilled.

[John Winters]

In article <Y5Unb.7307$RQ1....@newsread3.news.pas.earthlink.net>,

Alan Connor <xx...@yyy.zzz> wrote:
>On Wed, 29 Oct 2003 13:26:24 +0000, Molchun <mol...@REMOVEbluerealm.co.uk> wrote:
>>
>>

>> Alan Connor wrote:
>>
>>>
>>> I could, in very short order, find the name of someone who was born in
>>> a big city someplace, graduated from high school, then moved away
>>> and died years later in a distant place.
>>

>> So ???

>>
>>> With the aid of commonly available free software I could whip up fake
>>> birth certificates and high school diplomas (using examples from the
>>> city and high school in question as templates) that I could send to anyone
>>> who asked.
>>

>> Like how? Stop crying and get to the point.
>>
>
>Just the sort of behavior that we have come to expect from PGPsig users.

What, you mean presenting a closely reasoned argument which shoots your
position down in flames? Yes, I suppose you're right - that is just
the sort of behaviour we have come to expect from PGP users.

Now, lets see how you reacted to it. Ah yes, you ignored all the points
made and responded with a spot of abuse. Just the sort of behaviour we
have come to expect from Alan Connor.

We are clearly all very well adjusted in our attitudes today.

HTH
John
--
The Linux Emporium - the source for Linux in the UK
See http://www.linuxemporium.co.uk/

We had a woodhenge here once but it rotted.

[Ed Murphy]

On Sat, 01 Nov 2003 01:29:53 +0000, Alan Connor wrote:

> Did I read this post? No. I heard it all before when you were posting
> under a number of aliases.

Go on, Alan-- say "I don't respond to turkeys" [1]. You know you want to.

[1] Fred Phelps, a fucktard who takes Leviticus 18:22 to mean that
homosexuality is worse than murder and rape and every other
felony on the books combined, used this phrase to avoid responding
to a caller on a radio show. <sarcasm> Isn't it *so* nice to know
that trolls are not limited to the Internet? </sarcasm>

[Alan Connor]

Now there's another post from the PGP cult that amounts to nothing but more
than trolling.

Grow up you pathetic bullies: Myself and almost everyone else on the Internet
thinks PGPsigs are a waste of time.

We don't want to join your cute little club because most of the members
are class A snobs with the ethics of junkyard dogs.

As you so amply demonstrate with this juvenile post.