At 3:01 PM -0400 2002/07/10, Andy Dills wrote:
The passive assumption is that your words are important enough that somebody might want to verify them.
Correct. This statement will be true for just about everyone, at some point in their life.
So, does EVERY email need to be pgp signed?
Do you need to use ssh every time you access a server remotely? Surely you know when your line is being tapped or when your packets are being sniffed, and you choose only those times to use ssh, and otherwise you use telnet? Same goes for actually using passwords to login -- surely you know when it's a legitimate user that is trying to login and when it's someone trying to gain illicit access to your system, and you require them to use passwords accordingly?
When was the last time somebody on this list bothered to check the validity of a pgp signed message which they received via nanog?
When was the last time anyone on this list bothered to check the validity of any message they received via any channel? I mean, if you're going to use probability to support your argument, you might as well widen the discussion to a much broader sample group.
I mean, if John Sidgmore posted to that from now on, Worldcom's official pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a second unless it was signed and I verified it.
Not everything is black and white. At what level would you choose to validate a message like this? -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.