Maybe some of the telco's are finally learning that the quicker you can install, the sooner you can bill. :) K "Vincent J. Bono" To: <nanog@merit.edu> <vbono@vinny. cc: org> Subject: Kudos to Qwest Sent by: owner-nanog@m erit.edu 07/09/2002 04:00 PM We always hear the worst but I just thought I would plug Qwest in that they just installed an OC-12 point to point cross country for me in 27 hours from time of order. This included cross connects at Level3.
That never stopped Worldcom from billing. Installation? We don't need no stinking Installation! :-) ----- Original Message ----- From: "Kyle C. Bacon" <kbacon@fnsi.net> To: "Vincent J. Bono" <vbono@vinny.org> Cc: <nanog@merit.edu> Sent: Tuesday, July 09, 2002 4:27 PM Subject: Re: Kudos to Qwest
Maybe some of the telco's are finally learning that the quicker you can install, the sooner you can bill. :)
K
"Vincent J. Bono" To: <nanog@merit.edu> <vbono@vinny. cc: org> Subject: Kudos to Qwest Sent by: owner-nanog@m erit.edu
07/09/2002 04:00 PM
We always hear the worst but I just thought I would plug Qwest in that
they
just installed an OC-12 point to point cross country for me in 27 hours from time of order. This included cross connects at Level3.
Well, theres a matter of "customer acceptance" too.... then, "Let the billing begin!!" At 16:27 7/9/02 -0400, you wrote:
Maybe some of the telco's are finally learning that the quicker you can install, the sooner you can bill. :)
K
"Vincent J.
Bono" To: <nanog@merit.edu>
<vbono@vinny. cc:
org> Subject: Kudos to Qwest Sent by:
owner-nanog@m
erit.edu
07/09/2002
04:00 PM
We always hear the worst but I just thought I would plug Qwest in that they just installed an OC-12 point to point cross country for me in 27 hours from time of order. This included cross connects at Level3.
This mail is to notify you that the OC768c that you have ordered has been installed (sometime soon ... promise ... after the check clears). Please send the check for 1,000,000,000.00 USD for the first six months of service to: CASH c/o Joseph T. Klein retirement fund. P.O.Box 551510 Las Vegas, NV. 89155-1510 Thank You. --On Tuesday, 09 July 2002 17:52 -0400 blitz <blitz@macronet.net> wrote:
Well, theres a matter of "customer acceptance" too.... then, "Let the billing begin!!"
-- Joseph T. Klein jtk@titania.net "Why do you continue to use that old Usenet style signature?" -- anon
I know this is off the current subject., but some of you are sending these e-mail's to the list that appear as attachments and not text. This is even more annoying than HTML Mail. The message appears with an empty body and attachments that have names that start with ATT.... This is annoying. Many people wont read your messages because opening attachments is a security risk. If you want your postings read, please use plain text e-mail and not these stupid ATT attachments. (flame off) ----- Original Message ----- From: "Joseph T. Klein" <jtk@titania.net> Cc: <nanog@trapdoor.merit.edu> Sent: Tuesday, July 09, 2002 5:21 PM Subject: Billing Notice
John Palmer wrote:
I know this is off the current subject., but some of you are sending these e-mail's to the list that appear as attachments and not text.
Agreed, that is annoying. It appears to be the result of PGP signed messages, from every instance I can see: X-Mailer: Mulberry/2.2.0 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========32168813==========" and: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="s9fJI615cBHmzTOP" Content-Disposition: inline User-Agent: Mutt/1.2.5i Try filtering on the text 'application/pgp-signature' and you won't see them anymore. Mike
On Tue, Jul 09, 2002 at 04:41:46PM -0600, mike@rockynet.com said:
John Palmer wrote:
I know this is off the current subject., but some of you are sending these e-mail's to the list that appear as attachments and not text.
Agreed, that is annoying.
It appears to be the result of PGP signed messages, from every instance I can see:
[snip] It is. I know mutt, at least, switched to the PGP/MIME attachment style of signatures from the old ASCII-armored messages a few versions back. I personally liked the old style better, but the new one appears to be compliant to the current MIME standards. I'm willing to accept a bit of annoyance in order to promote standards compliance. If only Microsoft was thus motivated. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 9 Jul 2002 17:29:20 -0500 "John Palmer" <nanog@adns.net> wrote:
I know this is off the current subject., but some of you are sending these e-mail's to the list that appear as attachments and not text.
This is even more annoying than HTML Mail.
The message appears with an empty body and attachments that have names that start with ATT....
This is annoying. Many people wont read your messages because opening attachments is a security risk. If you want your postings read, please use plain text e-mail and not these stupid ATT attachments.
(flame off)
<FLAME ON!> That would be annoying if it were true. What you are seeing is PGP/MIME, a standards based protocol for sending secure and authenticated messages. For some reason, you are using a non-standards compliant mail program with known security risks that can not recognize PGP/MIME as a valid MIME type. This could be why you are so concerned with opening attachments. Please filter all messages with the words PGP, Secure, and/or NANOG to prevent this misunderstanding in the future. - -- BillT@Mahagonny.com - PGP KeyID#: 0xFB966670 Anti-Microsoft Zelot since 1989 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9K2oquLPldPuWZnARAv3qAJ9DVFQsFcCQdMOtAevy5j36BtMlpQCfc3Wk 81TaUdycdmmxAWKFmXlYf+c= =DOCd -----END PGP SIGNATURE-----
I'm afraid you have brought up one of my pet peeves here. On 03:57 PM 7/9/02, Bill Thompson wrote:
What you are seeing is PGP/MIME, a standards based protocol for
<snip blah blah blah> Standards exist as a way for parties who *agree* to use certain data formats to use a previously defined standard format without having to redefine or renegotiate the format all the time. Just because a standard exists for sending email with certain types of attachments, that doesn't mean that all users must agree to use clients that can (and will) process data in every new format, and thus everyone else needs to immediately adjust to each and every new standard that managed to make it thru the RFC process. For instance, there's a "standard" for the text/html protocol too (and dozens of others), yet we clearly eschew that "standard" for messages sent to this mailing list. What makes the PGP-MIME standard different, and so important, that the rest of us have to adapt to it, while eschewing other new standards? What's wrong with just using plain text and putting the damn PGP sig in the body? That's a standard that all email clients can process, and it works for everyone. Heck, it even worked for you when you sent the post I'm replying to here....
"John Palmer" <nanog@adns.net> wrote:
This is even more annoying than HTML Mail.
That would be annoying if it were true.
What is most annoying is the apparent insistence that this particular standard is so critically important that everyone should rush out and upgrade their mail clients to new ones that can process these attachments (while 1001 other new types can just be ignored). There are other ways to achieve the same goal (using plain text, no attachments needed), especially in a discussion list forum. I find your position on PGP-MIME to be a violation of the spirit of RFC 1855 (which predates 2015): - If you include a signature keep it short. Rule of thumb is no longer than 4 lines. Remember that many people pay for connectivity by the minute, and the longer your message is, the more they pay. - "Reasonable" expectations for conduct via e-mail depend on your relationship to a person and the context of the communication. Norms learned in a particular e-mail environment may not apply in general to your e-mail communication with people across the Internet. Be careful with slang or local acronyms. - Delivery receipts, non-delivery notices, and vacation programs are neither totally standardized nor totally reliable across the range of systems connected to Internet mail. They are invasive when sent to mailing lists, and some people consider delivery receipts an invasion of privacy. In short, do not use them. (today's multitude of attachment formats are the invasive equivalent of yesteryear's invasive and non-standard auto-responders, especially when sent to mailing lists) - Be careful with monospacing fonts and diagrams. These will display differently on different systems, and with different mailers on the same system. IMHO if you had to be careful about _font spacing_ to ensure your message was readable to everyone in the discussion forum, today you should be even *more* careful about attachments, ensuring that your message is sent in a format where it can be "properly displayed" on *all* recipient systems. Attempting to force a new format on all members of a large and diverse mailing list when the new format is neither necessary nor widely supported (and reasonable alternatives exist) is just selfish, and rude. jc
on 7/10/2002 6:06 AM JC Dill wrote:
list. What makes the PGP-MIME standard different, and so important, that the rest of us have to adapt to it, while eschewing other new standards?
Nobody is forcing anybody to adopt it. OTOH, complaining to people who use the spec about problems with your own mailer is pretty dumb. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Eric A. Hall <ehall@ehsco.com> was seen to declaim:
Nobody is forcing anybody to adopt it. I think the point is people with non-compliant maillers delete mails with attachments and no body on sight... sometimes, in an automated rule. If you don't care that a percentage of your recipients don't ever get to see your missives (and/or think you are infected with some sort of virus) as long as those that use the same software as you do, then you are in good company - its how most web designers seem to feel about Internet Explorer and flash.
OTOH, complaining to people who use the spec about problems with your own mailer is pretty dumb. As has already been pointed out, just because a standard exists is not a good reason to use it if there is a more backwards-complaint standard that does the same job - like clearsigning the message in the body. As an (extreme) counter-example, there are standards I would be compliant with if I had decided to start each paragraph with a pretty illuminated capital (using a gif image), change the font to a nice, bubbly font in ebcdic order (and include a AOT file for that) and then wrap the whole thing up in mime multipart/related so that a *compliant* reader could view it. however, I am fairly sure that would get me booted from the list *and* would be megabytes of unreadable garbage to most of the list (it is probably unreadable garbage now, but that is just their personal opinion of my emails :) Just because it is a standard, doesn't mean it is appropriate.
In a message written on Wed, Jul 10, 2002 at 04:31:40PM +0100, David Howe wrote:
I think the point is people with non-compliant maillers delete mails with attachments and no body on sight... sometimes, in an automated rule. If you don't care that a percentage of your recipients don't ever
Ok, I tried to stay out of this one, but this comment made me feel I have to jump in. I'm all against attachments, file attachments. Just because a message is MIME encoded, does not mean it is a file though. If people are throwing away MIME messages with a single "text/plain" section then they are firmly in the wrong. All of the "modern" text and GUI mailers display this properly, inline, as a plain old text message. More to the point, if anyone bothered to look at a MIME/PGP message, that's all it is. Specifically, you'll see two parts: ] Content-Type: text/plain; charset=us-ascii ] Content-Disposition: inline ] Content-Transfer-Encoding: quoted-printable ] Content-Type: application/pgp-signature ] Content-Disposition: inline If your mailer isn't showing you the first one as a text/plain message, even if it doesn't understand the second you need a new mailer. Equally, while I don't like the practice, if you haven't configured your mailer to show you text/plain over text/html (assuming you dislike html mail) in a multipart/alternative message then you're also behind the times. Don't complain about HTML mail when someone is also sending you text, just because you're too backwards to display it. If we could convert the whole country, including Joe Idiot from Leaded to Unleaded gas, I'm sure some "network savvy" people can figure out how to make basic MIME work. After all, if we can't communicate in E-MAIL how will we ever make the networks go? -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Thus spake "Leo Bicknell" <bicknell@ufp.org>
More to the point, if anyone bothered to look at a MIME/PGP message, that's all it is. Specifically, you'll see two parts:
] Content-Type: text/plain; charset=us-ascii ] Content-Disposition: inline ] Content-Transfer-Encoding: quoted-printable
] Content-Type: application/pgp-signature ] Content-Disposition: inline
If your mailer isn't showing you the first one as a text/plain message, even if it doesn't understand the second you need a new mailer.
You left out the MIME header that's actually causing the problem: ] Content-Type: multipart/signed; micalg=pgp-md5; ] protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz" My MUA understands multipart/mixed and multipart/alternative; it doesn't understand multipart/signed and therefore has no clue what to do with the message as a whole, even if it does understand one of the component's type. If anyone has a procmail recipe for dropping the second part and promoting the text/* to main body, I'm all ears. S
On Wed, Jul 10, 2002 at 11:11:41AM -0500, ssprunk@cisco.com said: [snip]
You left out the MIME header that's actually causing the problem:
] Content-Type: multipart/signed; micalg=pgp-md5; ] protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz"
My MUA understands multipart/mixed and multipart/alternative; it doesn't understand multipart/signed and therefore has no clue what to do with the message as a whole, even if it does understand one of the component's type.
If anyone has a procmail recipe for dropping the second part and promoting the text/* to main body, I'm all ears.
This procmail recipe works for me. YMMV, depending on MUA/OS/crypto combination. ---- # taken from http://www.mutt.org/doc/PGP-Notes.txt :0 * !^Content-Type: message/ * !^Content-Type: multipart/ * !^Content-Type: application/pgp { :0 fBw * ^-----BEGIN PGP MESSAGE----- * ^-----END PGP MESSAGE----- | /usr/local/bin/formail \ -i "Content-Type: application/pgp; format=text; x-action=encrypt" :0 fBw * ^-----BEGIN PGP SIGNED MESSAGE----- * ^-----BEGIN PGP SIGNATURE----- * ^-----END PGP SIGNATURE----- | /usr/local/bin/formail \ -i "Content-Type: application/pgp; format=text; x-action=sign" } ---- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
In a message written on Wed, Jul 10, 2002 David Howe wrote:
I think the point is people with non-compliant maillers delete mails with attachments and no body on sight... sometimes, in an automated rule. If you don't care that a percentage of your recipients don't ever
Ok, I tried to stay out of this one, but this comment made me feel I have to jump in. I'm all against attachments, file attachments. Just because a message is MIME encoded, does not mean it is a file though. If people are throwing away MIME messages with a single "text/plain" section then they are firmly in the wrong. All of the "modern" text and GUI mailers display this properly, inline, as a plain old text message. Yup - I am not defending M$'s crapware here; any decent mail client written in the last few years should at least show the text inline and
"Leo Bicknell" <bicknell@ufp.org> illuminated our understanding with: the sig as an attachment. What I am trying to say is it isn't a good defense to say "oh, but its an RFC and my client can handle it, so yours is broken". A documented abomination (and M$'s crapware handles that abomination I came up with just fine) is still an abomination. However, I try to avoid any sort of attachment or mime encoding for mailing lists - simply because it can be badly broken by the list itself (some lists strip attachments, leaving an uninteresting blank message when you try to use pgp mime; some people read in digest mode which is why attachments are stripped, and so forth). pgp mime avoids taking up message body space with the signature (which in most cases can be four times the size of the message) so is a good thing - but that doesn't mean that you should openly insult anyone whose software doesn't include this feature. smtp works best with plaintext ascii-7; anything else is a bonus, but shouldn't be mandatory.
On 08:53 AM 7/10/02, Leo Bicknell wrote:
If people are throwing away MIME messages with a single "text/plain" section then they are firmly in the wrong. All of the "modern" text and GUI mailers display this properly, inline, as a plain old text message.
Per the recently posted stats for members of *this* list: Microsoft 38.71% Mozilla 11.41% Eudora 10.86% I'm using a recent version of the #3 mailer, which I would think qualifies as a "modern" GUI mailer. It presents PGP-MIME messages as an attachment with a format it doesn't know how to read. I'm no more interested in upgrading (or changing) my mailer to deal with *this* attachment type than I am in upgrading to deal with text/html attachments. What part of "it is rude to expect all members of a large and diverse mailing list to accept and parse your particular attachment format" isn't perfectly clear? Netiquette. It's been around a looooong time. You might try following it. jc
On Wed, 10 Jul 2002, JC Dill wrote:
What part of "it is rude to expect all members of a large and diverse mailing list to accept and parse your particular attachment format" isn't perfectly clear?
Netiquette. It's been around a looooong time. You might try following it.
I have no problem reading the attachments (pine displays most attachments nicely), but personally I think the notion of pgp signing every mail you send is extremely arrogant. Remind me again about why I should care about whether or not somebody was spoofing Joe Klein's email address, when this is the content: ------------- This mail is to notify you that the OC768c that you have ordered has been installed (sometime soon ... promise ... after the check clears). Please send the check for 1,000,000,000.00 USD for the first six months of service to: CASH c/o Joseph T. Klein retirement fund. P.O.Box 551510 Las Vegas, NV. 89155-1510 Thank You. ------------- So, in sum: To the people who complain about not being able to read attachments: Learn how to filter. To the people who so arrogantly pgp sign every email they send: Learn how to consider the importance of your words. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
Regarding electronic signatures. The post was signed so you know for certain that I'm the knucklehead that accidentally started the OT thread with my stupid joke. Arrogant or not IMHO PGP sigs are a good business practice. Signing post means only that you know with some certainty the bozo to hold responsible. I want to own up to my bozoesk, arrogant and stupid ramblings. Using PGP sigs has far more operational relevance than my silly post. Trusted relationships are an essential component to the operation of our industry. People have forged mail posted to this list in the past. I also put my phone number on a bunch of my past posts. I am exercising my right to be verifiably open and accountable for my stupid and arrogent actions. ... but not with this e-mail. --On Wednesday, 10 July 2002 12:49 -0400 Andy Dills <andy@xecu.net> wrote:
On Wed, 10 Jul 2002, JC Dill wrote:
What part of "it is rude to expect all members of a large and diverse mailing list to accept and parse your particular attachment format" isn't perfectly clear?
Netiquette. It's been around a looooong time. You might try following it.
I have no problem reading the attachments (pine displays most attachments nicely), but personally I think the notion of pgp signing every mail you send is extremely arrogant.
Remind me again about why I should care about whether or not somebody was spoofing Joe Klein's email address, when this is the content:
<snip> -- Joseph T. Klein jtk@titania.net "Why do you continue to use that old Usenet style signature?" -- anon
On Wed, 10 Jul 2002, Joseph T. Klein wrote:
Regarding electronic signatures.
The post was signed so you know for certain that I'm the knucklehead that accidentally started the OT thread with my stupid joke. Arrogant or not IMHO PGP sigs are a good business practice.
...when doing business.
Signing post means only that you know with some certainty the bozo to hold responsible. I want to own up to my bozoesk, arrogant and stupid ramblings.
Ah, and that's where the arrogance comment came from. You assume that the members of nanog care. I'm not trying to call you an arrogant person, and I recognize that you're not being blatantly arrogant, it's more of a passive assumption. The passive assumption is that your words are important enough that somebody might want to verify them. So, does EVERY email need to be pgp signed? When was the last time somebody on this list bothered to check the validity of a pgp signed message which they received via nanog? I mean, if John Sidgmore posted to that from now on, Worldcom's official pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a second unless it was signed and I verified it. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
On Wed, Jul 10, 2002 at 03:01:00PM -0400, andy@xecu.net said: [snip]
Signing post means only that you know with some certainty the bozo to hold responsible. I want to own up to my bozoesk, arrogant and stupid ramblings.
Ah, and that's where the arrogance comment came from. You assume that the members of nanog care. I'm not trying to call you an arrogant person, and I recognize that you're not being blatantly arrogant, it's more of a passive assumption. The passive assumption is that your words are important enough that somebody might want to verify them. So, does EVERY email need to be pgp signed?
If it's important enough to post in the first place, it's worth taking the minimal effort required to sign it. I cannot understand the source of the surprisingly vehement reaction against the PGP/MIME standard and PGP signing in general. I would have thought this audience, at least, would understand the importance of promoting the use of cryptography in general. Perhaps I was being naive.
When was the last time somebody on this list bothered to check the validity of a pgp signed message which they received via nanog?
Every single one that's signed, I check. But then, my MUA does it automagically. [Content-type: text/political] It's just Good Standard Practice. It frequently takes a while for the slower vendors to catch up to standards, but in this case, I think it's a good idea to push the vendors as much as possible towards adoption of support for the OpenPGP standard and strong crypto in general. It may not be personally important to every person for every message at this point in time, but the more common crypto is, the less likely we are to find it de jure or de facto outlawed. The legal history of crypto in the United States, if nowhere else, should provide incentive in this area. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
My mail user agent verifies every pgp signature it reads. Automatically. Isn't NANOG business??? I work for a big North American Network, have been accused on being an Operator, and on rare occasions post things that are on topic. I'm confused ... We have signing parties at NANOG and IETF to promote the use of trusted e-mail. --On Wednesday, 10 July 2002 15:01 -0400 Andy Dills <andy@xecu.net> wrote:
When was the last time somebody on this list bothered to check the validity of a pgp signed message which they received via nanog?
-- Joseph T. Klein jtk@titania.net "I thought PGP signature where cool." -- an arrogant bastard
At 3:01 PM -0400 2002/07/10, Andy Dills wrote:
The passive assumption is that your words are important enough that somebody might want to verify them.
Correct. This statement will be true for just about everyone, at some point in their life.
So, does EVERY email need to be pgp signed?
Do you need to use ssh every time you access a server remotely? Surely you know when your line is being tapped or when your packets are being sniffed, and you choose only those times to use ssh, and otherwise you use telnet? Same goes for actually using passwords to login -- surely you know when it's a legitimate user that is trying to login and when it's someone trying to gain illicit access to your system, and you require them to use passwords accordingly?
When was the last time somebody on this list bothered to check the validity of a pgp signed message which they received via nanog?
When was the last time anyone on this list bothered to check the validity of any message they received via any channel? I mean, if you're going to use probability to support your argument, you might as well widen the discussion to a much broader sample group.
I mean, if John Sidgmore posted to that from now on, Worldcom's official pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a second unless it was signed and I verified it.
Not everything is black and white. At what level would you choose to validate a message like this? -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
On Mon, 15 Jul 2002, Brad Knowles wrote:
So, does EVERY email need to be pgp signed?
Do you need to use ssh every time you access a server remotely?
Every time the device runs ssh and I have to type a password, yes.
Surely you know when your line is being tapped or when your packets are being sniffed, and you choose only those times to use ssh, and otherwise you use telnet?
There's some degree of truth to this. For instance, most of my routers do not run ssh. However, I control the network between here and there, so I am comfortable that nobody is capable of sniffing the session, so I am comfortable using telnet and not going through an OOB connection.
Same goes for actually using passwords to login -- surely you know when it's a legitimate user that is trying to login and when it's someone trying to gain illicit access to your system, and you require them to use passwords accordingly?
Of course not. In the previous two situations, a human is making decisions, "judgement calls". This situation, you're asking a computer to do so. Bad analogy.
When was the last time somebody on this list bothered to check the validity of a pgp signed message which they received via nanog?
When was the last time anyone on this list bothered to check the validity of any message they received via any channel? I mean, if you're going to use probability to support your argument, you might as well widen the discussion to a much broader sample group.
So why is it that people are bothering to sign their posts to nanog if nobody cares if the people are who they say they are?
I mean, if John Sidgmore posted to that from now on, Worldcom's official pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a second unless it was signed and I verified it.
Not everything is black and white. At what level would you choose to validate a message like this?
"Not everything is black and white." Does that mean you agree with me that not everything needs to be signed? Or does that mean you agree with me in that a judgement call must be made? Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
On Mon, Jul 15, 2002 at 02:50:48PM -0400, andy@xecu.net said: [snip]
"Not everything is black and white." Does that mean you agree with me that not everything needs to be signed? Or does that mean you agree with me in that a judgement call must be made?
*sigh* Sign your mail, or at least stop protesting about those that make the effort to do so. There are a great many good reasons to do so, and no good reasons not to. Broken software and laziness don't count. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
Scott Francis wrote:
There are a great many good reasons to do so, and no good reasons not to. Broken software and laziness don't count.
Sure there are. Non-repudiation is not always a good thing. Do you get every physical document you write notarized? If you are sued and email is submitted as evidence by the plaintiff would you rather the mail be signed or unsigned? Bradley
On Mon, Jul 15, 2002 at 03:43:12PM -0400, bradley@dunn.org said:
Scott Francis wrote:
There are a great many good reasons to do so, and no good reasons not to. Broken software and laziness don't count.
Sure there are. Non-repudiation is not always a good thing. Do you get every physical document you write notarized? If you are sued and email is
No, but I use an envelope and a signature on every piece of snail mail I send that I author myself. (Not that there are that many nowadays.)
submitted as evidence by the plaintiff would you rather the mail be signed or unsigned?
I stand behind what I write. If I am sued, I doubt that anything I wrote in email would be to blame. In such a scenario (which, I might add, is entirely hypothetical), the existence or lack of a PGP signature would hardly be the problem. The actions that prompted the lawsuit would, and that is a whole other kettle of fish altogether. This is now so far off-topic I can't even _see_ the NANOG charter. Final post by me. I did enjoy reading the various opinions submitted, but I hold little hope that any arguments given, no matter their merit, will prompt any change in the same. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
On Wed, 10 Jul 2002, Andy Dills wrote:
On Wed, 10 Jul 2002, JC Dill wrote:
[ SNIP ]
To the people who so arrogantly pgp sign every email they send: Learn how to consider the importance of your words.
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
Damn you bastard! netiquette violating people with >4 line sigs.
At 2:48 PM -0400 2002/07/10, Martin Hannigan wrote:
To the people who so arrogantly pgp sign every email they send: Learn how to consider the importance of your words.
In the wise words of Brian Hatch (author of _Hacking Linux Exposed_ and _Building Linux VPNs_): If it ain't signed, it ain't me. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
on 7/10/2002 10:53 AM Leo Bicknell wrote:
More to the point, if anyone bothered to look at a MIME/PGP message, that's all it is. Specifically, you'll see two parts:
] Content-Type: text/plain; charset=us-ascii ] Content-Disposition: inline ] Content-Transfer-Encoding: quoted-printable
] Content-Type: application/pgp-signature ] Content-Disposition: inline
There's also the multipart/signed parent container. Of course, RFC2046 says that UNKNOWN MEDIA-TYPES are to be treated as multipart/mixed: | 5.1.7. Other Multipart Subtypes | | Other "multipart" subtypes are expected in the future. MIME | implementations must in general treat unrecognized subtypes of | "multipart" as being equivalent to "multipart/mixed". A mailer which displays the embedded text as attachments is going out of its way to be incompatible with the spec. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Wed, 10 Jul 2002 11:53:40 EDT, Leo Bicknell <bicknell@ufp.org> said:
] Content-Type: text/plain; charset=us-ascii ] Content-Disposition: inline ] Content-Transfer-Encoding: quoted-printable
] Content-Type: application/pgp-signature ] Content-Disposition: inline
If your mailer isn't showing you the first one as a text/plain message, even if it doesn't understand the second you need a new mailer.
Amen. If it's showing the text/plain as an attachment, even when there's a 'Content-Disposition: inline', the MUA is just being contrary to the point of borkedness. There *is* a corner case in the MIME specs in that if your MUA doesn't support multipart/signed, it is required to drop back to multipart/ mixed - and at that point, the treatment of any given text/plain is unspecified (an MUA is free to display all as attachments, all as inline, the first as inline and rest as attachments, or whatever choice it feels like). This ambiguity is why RFC2183 was issued in August 1997. I've made a *partial* fix to exmh to force generation of a Content-Disposition tag (it's still broken for the general case, but THIS message should have a 'inline' attached to the text/plain bodypart). If it in fact isn't there, let me know. If it's there and your MUA now Gets It Right where it didn't used to, let me know. If it's there and your MUA *still* doesn't get it right, let your vendor know - there's nothing else I can do about it. If the exmh fix actually improves things for anybody, and doesn't break things, I'll commit it to the CVS tree. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
participants (18)
-
Andy Dills -
Bill Thompson -
blitz -
Brad Knowles -
Bradley Dunn -
David Howe -
Eric A. Hall -
JC Dill -
John Palmer -
Joseph T. Klein -
Kyle C. Bacon -
Leo Bicknell -
Martin Hannigan -
Mike Lewinski -
Scott Francis -
Stephen Sprunk -
Valdis.Kletnieks@vt.edu -
Vincent J. Bono