[linux-elitists] Fwd: PGP signature attachments!
Karsten M. Self
Fri Sep 7 11:48:59 PDT 2001
on Fri, Sep 07, 2001 at 07:13:22PM +0100, Sean Neakums (firstname.lastname@example.org) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> begin Wil Cooley quotation:
> > How the hell do you respond to someone like this?
> Like every good Net citizen, you eschew MIME and sign in plaintext.
> A little like this.
I'll do this on a case-by-case basis, but with great reluctance.
Borrowing from my own canned rant posted here by Aaron:
It's been suggested variously that I sign messages inline,
or in some instances, that mailing lists drop all MIME-encoded
attachments. I believe this is the wrong solution for two reasons:
- It breaks useful behavior. MIME attachments *can*
provide useful information, including support of non-ASCII
charactersets, required for basic communications in much
of the world. In the case of signed messages, a recent
SANS alert of the BIND exploit of the day was copied to a
mailing list I'm subscribed to as cleartext-signed message.
The body of the message was modified in two generations of
distribution and the signature rendered invalid. This is
not immediately apparent as messages which are cleartext-
signed must be verified as a separate, manual, step. In the
case of security exploits and announcements, such verification
and authentication is of some importance.
- It's not the root problem. The root problem is mail clients
which handle untrusted content in an insecure fashion. This is
like dousing 75% of the population with gasoline, then placing
match-confiscating personnel at the doors of all public arenas.
The problem isn't the matches. It's the gasoline.
Palliative measures to reduce the apparent risk without
addressing the actual cause mask the problem without fixing it.
If sufficient people feel the pain, we'll eventually see
changes either to client behavior or choice.
To which I should add:
MIME encoding allows for useful behavior, including streamlining the
processes for signing and encrypting outgoing mail, and for verifying
and decrypting incoming signed or encrypted messages. The MIME portions
themselves are plaintext [this is addressed elsewhere in the rant. Ed],
and do not contain or constitute an executable or otherwise hostile
The rant is part of a rant-o-matic I've written, and am in the process
of re-writing. The original is a bash script using inline text as
functions which are called. I'm "porting" this to a script which reads
from an 'ar' archive file in which additional rants can be added in a
more streamlined fashion, and other useful functionality added.
- globbing: Specify 'vac' and return the 'vacation' rant, or a list
of matches such as 'vacuum', 'vacillate'...
- searching: Enable searching through rants for terms or phrases to
find an appropriate topic.
- error handling: Indicating, loudly, errors in processing.
- multiple rant generation: Passing a string of arguments such as:
$ rant html wrap quote
...to comment on use of HTML mail, poor wrapping style, and poor
- prefix/suffix: I've found people respond somewhat better to
suggestions when wrapped in syntactic sugar, including mild
flattery, "Please", and "Thank you". Automating this would make for
more natural flow of multiple rants, e.g.:
Please set your mailer/editor linewrap to 68-75 characters. I strongly
recommend 72 as a good default.
Please set your mailer to send text rather than HTML, particularly
to list or Usenet posts.
Could you please: # Syntactic sugar.
Set your mailer/editor linewrap to 68-75 characters. I strongly
recommend 72 as a good default.
Set your mailer to send text rather than HTML, particularly to
list or Usenet posts.
Thank you. # Syntactic sugar.
I've posted the earlier variant to SVLUG, will forward the replacment
The general idea is that while FAQs, netiquette guidelines, and the
like, are useful, there's not a current easy, standard, extensible way
to respond to common questions/faux pas. Hence the rant-o-matic (AKA
vfam), which can let fly a well-formed, informative, and
non-inflammetory message with minimal effort. I also prefer the
semi-auto nature of such tools. Automated procmail recipies are too
prone to misfiring. A well honed, short-keystroke, message-generating
tool which can be incorporated into a mailer (e.g.: in mutt, using vim:
:! r rant gpg
...is a good compromise.
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What part of "Gestalt" don't you understand? There is no K5 cabal
Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire http://kmself.home.netcom.com/resume.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20010907/c59b3ccc/attachment.pgp
More information about the linux-elitists