[linux-elitists] Fwd: PGP signature attachments!

Karsten M. Self kmself@ix.netcom.com
Fri Sep 7 11:48:59 PDT 2001


on Fri, Sep 07, 2001 at 07:13:22PM +0100, Sean Neakums (sneakums@zork.net) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> begin  Wil Cooley quotation:
> 
> > How the hell do you respond to someone like this?
> 
> Like every good Net citizen, you eschew MIME and sign in plaintext.
> 
> A little like this.

I'll do this on a case-by-case basis, but with great reluctance.

Borrowing from my own canned rant posted here by Aaron:

    It's been suggested variously that I sign messages inline,
    or in some instances, that mailing lists drop all MIME-encoded
    attachments.  I believe this is the wrong solution for two reasons:

      - It breaks useful behavior.  MIME attachments *can*
        provide useful information, including support of non-ASCII
        charactersets, required for basic communications in much
        of the world.  In the case of signed messages, a recent
        SANS alert of the BIND exploit of the day was copied to a
        mailing list I'm subscribed to as cleartext-signed message.
        The body of the message was modified in two generations of
        distribution and the signature rendered invalid.  This is
        not immediately apparent as messages which are cleartext-
        signed must be verified as a separate, manual, step.  In the
        case of security exploits and announcements, such verification
        and authentication is of some importance.

      - It's not the root problem.  The root problem is mail clients
        which handle untrusted content in an insecure fashion.  This is
        like dousing 75% of the population with gasoline, then placing
        match-confiscating personnel at the doors of all public arenas.
        The problem isn't the matches.  It's the gasoline.

        Palliative measures to reduce the apparent risk without
        addressing the actual cause mask the problem without fixing it.
        If sufficient people feel the pain, we'll eventually see
        changes either to client behavior or choice.

To which I should add:

MIME encoding allows for useful behavior, including streamlining the
processes for signing and encrypting outgoing mail, and for verifying
and decrypting incoming signed or encrypted messages.  The MIME portions
themselves are plaintext [this is addressed elsewhere in the rant. Ed],
and do not contain or constitute an executable or otherwise hostile
payload.

The rant is part of a rant-o-matic I've written, and am in the process
of re-writing.  The original is a bash script using inline text as
functions which are called.  I'm "porting" this to a script which reads
from an 'ar' archive file in which additional rants can be added in a
more streamlined fashion, and other useful functionality added.
Features considered:

  - globbing:  Specify 'vac' and return the 'vacation' rant, or a list
    of matches such as 'vacuum', 'vacillate'...

  - searching:  Enable searching through rants for terms or phrases to
    find an appropriate topic.

  - error handling:  Indicating, loudly, errors in processing.

  - multiple rant generation:  Passing a string of arguments such as:

      $ rant html wrap quote

    ...to comment on use of HTML mail, poor wrapping style, and poor
    quoting style.

  - prefix/suffix:  I've found people respond somewhat better to
    suggestions when wrapped in syntactic sugar, including mild
    flattery, "Please", and "Thank you".  Automating this would make for
    more natural flow of multiple rants, e.g.:


	Please set your mailer/editor linewrap to 68-75 characters.  I strongly
	recommend 72 as a good default.

	Thank you.

	Please set your mailer to send text rather than HTML, particularly
	to list or Usenet posts.

	Thank you.

    versus:

        Could you please:	# Syntactic sugar.

	Set your mailer/editor linewrap to 68-75 characters.  I strongly
	recommend 72 as a good default.

	Set your mailer to send text rather than HTML, particularly to
	list or Usenet posts.

	Thank you.		# Syntactic sugar.

I've posted the earlier variant to SVLUG, will forward the replacment
when ready.

The general idea is that while FAQs, netiquette guidelines, and the
like, are useful, there's not a current easy, standard, extensible way
to respond to common questions/faux pas.  Hence the rant-o-matic (AKA
vfam), which can let fly a well-formed, informative, and
non-inflammetory message with minimal effort.  I also prefer the
semi-auto nature of such tools.  Automated procmail recipies are too
prone to misfiring.  A well honed, short-keystroke, message-generating
tool which can be incorporated into a mailer (e.g.:  in mutt, using vim:

    :! r rant gpg

...is a good compromise.

Cheers.

-- 
Karsten M. Self <kmself@ix.netcom.com>          http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             There is no K5 cabal
  http://gestalt-system.sourceforge.net/               http://www.kuro5hin.org
   Free Dmitry! Boycott Adobe! Repeal the DMCA!    http://www.freesklyarov.org
Geek for Hire                        http://kmself.home.netcom.com/resume.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20010907/c59b3ccc/attachment.pgp 


More information about the linux-elitists mailing list