Date: Tue, 8 Oct 2002 10:44:24 -0700 From: Rick Moen To: [omitted] Subject: Re: Libranet 2.7 User-Agent: Mutt/1.4i > BTW, do you use gnupg? Yes, but. I should FAQ this. I approve of gnupg. I have a well-signed keypair (see http://linuxmafia.com/~rick/). I have mutt set up to autoverify keys on received mail against keys in my keychain. I have a procmail recipe in place to rewrite clearsigned mail into RFC 3156 MIME mode for my mbox. I've written and delivered a pretty good lecture explaining and advocating it (http://linuxmafia.com/~rick/lecture-notes/gnupg) . I have mutt set up with macros so I can, when I wish, send out my mail clearsigned. I _agree_ with gnupg advocates that a future with pervasive use of RFC 3156 MIME-encoded signed mail would be A Very Good Thing. And yet.... 1. Many mail-handling tools such as Mailman's sucky pipermail HTML archiver don't yet handle RFC 3156 MIME-attached signatures intelligently. Have you ever looked closely at what MIME-type gnupg signatures do to a pipermail archive? It's dreadful. Yes, I'll admit that, in the long run, getting everyone to send RFC 3156 MIME-type signatures will motivate coders to fix the software sooner. It's just that, over the shorter run, the MIMEd signatures create an unholy mess. I wince at being part of that problem. 2. Like many technical users, I've been trying to hammer this simple perception into legions of morons: "DON'T EVER send MIME attachments in general e-mail. Your crappy quoted-printable encoding, doubled e-mail with HTML, extraneous vmail crud, extraneous MIME headers, and occasional binary diarrhea like MS-Word documents are like taking a crap in the middle of my living room." It was already difficult _enough_ to get that across to technophobes, and make them take it seriously. But now I'm supposed to append "...but it's nonetheless OK, and actively beneficial, to use MIME to cryptographically sign your mail"? The message gets lost. I'm acutely conscious of my stance impairing the future to benefit the present. This doesn't make me happy. But it's my present stance, warts and all. > I'm asking because I recall you mentioning concern over having your > words passed around without modification. gnupg is the perfect tool > to make sure a message gets distributed unmodified. Not that big a concern. My writing style is distinctive, for one thing. If I saw or heard of someone masquerading as me, the obvious first-level response would be to put out the word "No, that wasn't me, and you can tell that from the Received headers if nothing else." Global use of gnupg is a solution vastly exceeding the requirements of that problem. I do and would use gnupg if/when I positively needed people to be able to authenticate a specific e-mail I'm sending. My current compromise is that I'd send in clearsigned mode, rather than RFC 3156 MIME. Yes, I'm aware that it's messy, but it's not as messy as RFC 3156 MIME in things such as pipermail. Yes, I'm aware of an RFC that says clearsigning is "deprecated": The author can go fsck himself. Yes, I'm aware of the irony of the fact that I autoconvert clearsigned e-mails I receive to RFC 3156 format upon delivery to my mbox: I do that because my MUA software (mutt) better automatically handles and formats RFC 3156 MIME than it does clearsigning. I don't send the same format partly because I'm not so arrogant as to assume that all receiving software (including mailing list archivers) is equally advanced. You see why I really ought to FAQ this? -- Cheers, There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. rick@linuxmafia.com