[plug] Was bun fight about "bad" words.

[Mark Dixon]

> > There may not be "proof of provenance for email", but it is possible to provide fairly
> > convincing evidence.

> 1.  Few people use digital signatures with their email and even fewer
> still use S/MIME.

However, many popular products support it.  And even if one does not choose to use it, the e-mail
client is likely to present an intriguing icon which might attract enough attention for the user to
poke it.  When poked, you client will tell you all the dirty details about digital sigs &
certificates, and the quality, or lack of same, in the one attached to the note you are reading.

> 2.  Most people on this list probably don't know those who have signed
> your key.

The "Web of Trust" is based on the concept that the "vendor" (Thawte in the case of my sig) has a
reputation of requiring notaries that they have vetted check identity documents in a face-to-face
interview before a certificate is issued with a persons name in it.  So the reader can have some
confidence in the certificate without knowing the individual notaries involved.

> 3.  Of those people who may happen to know them, chances are the
> certification means little because they don't use encryption (or
> S/MIME).

Again, the encryption processes are handled automatically by the client software and the user may
remain unaware that encryption is occuring.

> 4.  Of those very few who know them and use S/MIME, even fewer have an
> authenticated copy of their key.

The PKI provides processes for verifying the key if the reader desires to do so.  Instructions pop
up in most clients if the reader shows any interest in doing so (by poking the buttons that warn
about revokation & validation).

> 5.  No operating system is competely secure (yada yada yada) but since
> you're using Windows with Outlook Express, there's plenty of chance for
> your key to be compromised.

The vulnerability of the opsys and e-mail client does not necessarily compromise the certificate.

> The actual usefulness of your key in authenticating you to this list:
> virtually nil.

I disagree with your summary statement in that I have challenged the premises that lead to it.
However, I agree that we would all be wasting our time (or just being posers) if we went about
signing all our posts to this forum.

> I take your point that it's *possible* to set up a PKI such that email
> is fairly well authenticated.  But Paul's claim of the limited validity
> of email addresses and names on this list is far stronger.

Then we are perhaps agreed?  My original point was: "There may not be "proof of provenance for
email", but it is possible to provide fairly convincing evidence."

Cheers, Mark Dixon.