Ugly PGP signatures, was re: C : how to export raw YUV to a file ?
From: Arthur J. O'Dwyer (ajo_at_nospam.andrew.cmu.edu)
Date: 10/09/04
- Next message: Arthur J. O'Dwyer: "Re: Microsoft agrees with "hoisting loop invariants" by programmers!!! News @ 11"
- Previous message: Michael Wojcik: "Re: A few questions about C programming."
- In reply to: Michael Wojcik: "Re: C : how to export raw YUV to a file ?"
- Next in thread: Michael Wojcik: "Re: Ugly PGP signatures, was re: C : how to export raw YUV to a file ?"
- Reply: Michael Wojcik: "Re: Ugly PGP signatures, was re: C : how to export raw YUV to a file ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 8 Oct 2004 18:46:03 -0400 (EDT)
On Fri, 8 Oct 2004, Michael Wojcik wrote:
>
> "Arthur J. O'Dwyer" <ajo@nospam.andrew.cmu.edu> writes:
>> Aha. This makes a lot of sense now. And I suppose transfer agents
>> are also allowed to rewrite the message body in subtle ways, such as
>> adding or deleting blank-line prefixes and/or suffixes? Otherwise,
>> PGP could simply add a header that would contain the signature of the
>> message body, ignoring all other headers, and it would be fine.
>
> PGP could just as easily convert the message to a canonical form that
> included removing leading and trailing whitespace before signing or
> verifying, so I don't think that would make a difference, actually.
Hm. Yes. I hadn't thought of that. It appears I am correct. ;-)
>> (Re: the suggestion that the sender might only want to sign part of
>> a message body, I can't think of any situations where the inability
>> to not-sign some part of a message you're sending anyway would be any
>> kind of disadvantage. If you don't want people to be sure you said it,
>> why are you putting it in a message with things you /do/ want to be
>> unambiguously associated with?)
>
> Being able to specify the boundaries of the signed message is useful
> for a variety of protocols, such as attaching multiple signatures,
> especially if not all of the signing parties are signing the entire
> message. Remember that PGP is intended for more applications than
> simple Usenet and plain-text email, so some of its features that may
> appear unnecessary in those environments may required for other uses.
But do you really think the OP was using a non-(news client|email
client) to sign his outgoing Usenet posts? I'm willing to bet that his
news client has a built-in PGP signing thingummy which /is/ intended
solely for simple Usenet and plain-text email.
> Consider the situation where you want to forward a signed message to
> another party, with your comments. You'd like the recipient to be
> able to verify the original author's signature. (Maybe your comments
> are also signed by you; that's irrelevant to this argument.) Your
> recipient has to know where the portion signed by the original author
> begins and ends in order to verify that signature.
I suppose so. So I modify my original complaint: Why did the PGP
people pick such a grotesque header and footer to delimit their messages?
The "dash-dash-space" sig marker predates PGP, doesn't it?, so it's not
like they didn't have any idea how to construct unobtrusive delimiters.
How about
X-PGP-Signature: 42,MYBIGLONGHEXSTRING;A537,MYOTHERBIGLONGHEXSTRING
PGP-
Here's my message
signed with PGP.
+PGP42
PGP-
Here's a second message.
+PGPA537
...Well, I recognize it's a moot point now, but I wish they'd picked a
less grotesque delimiting system to begin with.
> [...] And there are clients which initially download only the headers;
> putting the signature in the message body saves on their bandwidth
> and storage requirements.
I hadn't thought of that either. I think it's not terribly relevant
these days; downloading a few PGP signatures along with the headers is
still a lot better than downloading a lot of message bodies. But
maybe In The Future[tm], when every message is signed, leaving the
PGP stuff out of the headers will give you a factor-of-two speed-up
in downloading a bunch of headers. (Except that In The Future we'll
all have enough bandwidth that it won't matter; and we won't want to
be wasting time downloading messages from unsigned sources anyway,
right? :)
>>> If you want a user agent that hides signature delimiters and data,
>>> just write one or adapt an existing one. You're using Pine? How
>>> hard could it be to patch it to hide the signature stuff?
>>
>> Fairly hard to write a patch for a program I've never examined before,
>> on a shared system where I have very limited storage space. Probably
>> very hard to install a patched binary on a shared system where I am not
>> one of the Inner Circle. :)
>
> Sorry, I assumed you were using a shell account and could just run
> binaries you wrote (an NTTP client doesn't need any special
> privileges).
s/NTTP/NNTP/ right? Anyway, I believe that is my situation. But I
would have to keep a copy of the binary around in my own file space, of
which it would presumably take up a significant amount. And---more
importantly, I think---I'd have to be my own maintenance person. Right
now, when Pine stops working for strange and obscure reasons, I just wait
until the sysadmin-type people fix it. :) I don't know squat about
network stuff.
Still, I might take a look sometime when I have time. Probably not
this semester. ;)
-Arthur,
ramblin'
- Next message: Arthur J. O'Dwyer: "Re: Microsoft agrees with "hoisting loop invariants" by programmers!!! News @ 11"
- Previous message: Michael Wojcik: "Re: A few questions about C programming."
- In reply to: Michael Wojcik: "Re: C : how to export raw YUV to a file ?"
- Next in thread: Michael Wojcik: "Re: Ugly PGP signatures, was re: C : how to export raw YUV to a file ?"
- Reply: Michael Wojcik: "Re: Ugly PGP signatures, was re: C : how to export raw YUV to a file ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
