diff --git a/PGP/OTR.html b/PGP/OTR.html index 44ba76d..ede577a 100644 --- a/PGP/OTR.html +++ b/PGP/OTR.html @@ -1,52 +1,38 @@ - - My OTR keys -

OTR

This page lists my OTR key finger prints. I have different keys for all devices, because the keys aren't as easy to sync than with GPG.

To check PGP/GPG signature of this page, download the markdown source and signature files...

curl -OL http://mkaysi.github.com/PGP/OTR.html.md curl -OL http://mkaysi.github.com/PGP/OTR.html.md.asc

...and then run...

gpg --verify OTR.html.md.asc

... You should get something like "UNTRUSTED: Good signature from Mika Suomalainen".

Devgan

Devgan is a laptop.

Pidgin

Debian

@chat.facebook.com || Fingerprint: 4DC7B798 3E3CB54E 62065108 8923A362 BD2B54C4 @gmail.com || Fingerprint: 3A833385 5A65443A 73A7C213 7A244290 2C24F709 @outlook.com || Fingerprint: 3F4BAAF4 BAA10452 28712AB0 12EC1282 D59C8257 @edu.ekami.fi || Fingerprint: B0DC80EC 7B9D4B70 80012C03 1AE2B1B0 E9F52DF6 @jabber.org || Fingerprint: D076B854 5A919CB1 DC32FFAA D0F956EC 086C7BDD @dukgo.com || Fingerprint: B3AE41C3 75946988 86936D92 A7929D23 A52CE715

Ubuntu

Facebook || Fingerprint: B01D4904 8A3BD352 2729758A E42D51D5 BFF44871 GMail || Fingerprint: 8283844D 6F0CB2B5 AB23E239 AF583045 40A06B47 Jabber || Fingerprint: D01ABB87 A9B77C61 BB63EE7E 9AD9E9A6 313B8978 DukGo || Fingerprint: A62333B8 EF1D6615 9432FF5E 86BDAADE 722BCDA0

Ciblia

Ciblia is my phone.

GibberBot

Gibberbot keys changed after installing Cyanogenmod 9.

I must find out what these news keys are before publishing them...

+ + + + + +My OTR keys + + + + +

OTR

+

This page lists my OTR key finger prints. I have different keys for all devices, because the keys aren't as easy to sync than with GPG.

+

To check PGP/GPG signature of this page, download the markdown source and signature files...

+
curl -OL http://mkaysi.github.com/PGP/OTR.html.md
+curl -OL http://mkaysi.github.com/PGP/OTR.html.md.asc
+

...and then run...

+
+

gpg --verify OTR.html.md.asc

+
+

... You should get something like "UNTRUSTED: Good signature from Mika Suomalainen".

+

Devgan

+

Devgan is a laptop.

+

Pidgin

+

Debian

+

@chat.facebook.com || Fingerprint: 4DC7B798 3E3CB54E 62065108 8923A362 BD2B54C4 @gmail.com || Fingerprint: 3A833385 5A65443A 73A7C213 7A244290 2C24F709 @outlook.com || Fingerprint: 3F4BAAF4 BAA10452 28712AB0 12EC1282 D59C8257 @edu.ekami.fi || Fingerprint: B0DC80EC 7B9D4B70 80012C03 1AE2B1B0 E9F52DF6 @jabber.org || Fingerprint: D076B854 5A919CB1 DC32FFAA D0F956EC 086C7BDD @dukgo.com || Fingerprint: B3AE41C3 75946988 86936D92 A7929D23 A52CE715

+

Ubuntu

+

Facebook || Fingerprint: B01D4904 8A3BD352 2729758A E42D51D5 BFF44871 GMail || Fingerprint: 8283844D 6F0CB2B5 AB23E239 AF583045 40A06B47 Jabber || Fingerprint: D01ABB87 A9B77C61 BB63EE7E 9AD9E9A6 313B8978 DukGo || Fingerprint: A62333B8 EF1D6615 9432FF5E 86BDAADE 722BCDA0

+

Ciblia

+

Ciblia is my phone.

+

GibberBot

+

Gibberbot keys changed after installing Cyanogenmod 9.

+

I must find out what these news keys are before publishing them...

+
diff --git a/PGP/Replies.html b/PGP/Replies.html index 867072b..ffc5fae 100644 --- a/PGP/Replies.html +++ b/PGP/Replies.html @@ -1,50 +1,44 @@ - - What to remove in replies to PGP/INLINE signed emails. -

What you should remove from email, when you reply into PGP/INLINE signed email.

Top

From top of the email, remove everything after

-----BEGIN PGP SIGNED MESSAGE-----

untill the first line change.

For example:

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hi, ```

You would remove

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

so the message would be

Hi,

Bottom

Remove everything between lines

-----BEGIN PGP SIGNATURE-----

and

-----END PGP SIGNATURE-----

+ + + + + +What to remove in replies to PGP/INLINE signed emails. + + + + +

What you should remove from email, when you reply into PGP/INLINE signed email.

+

Top

+

From top of the email, remove everything after

+
+

-----BEGIN PGP SIGNED MESSAGE-----

+
+

untill the first line change.

+

For example:

+
-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+Hi,
+

You would remove

+
-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+

so the message would be

+
+

Hi,

+
+

Bottom

+

Remove everything between lines

+
+

-----BEGIN PGP SIGNATURE-----

+
+

and

+
+

-----END PGP SIGNATURE-----

+
+
diff --git a/PGP/WhyDoISignEmails.html b/PGP/WhyDoISignEmails.html index 58fc367..3a1261c 100644 --- a/PGP/WhyDoISignEmails.html +++ b/PGP/WhyDoISignEmails.html @@ -1,146 +1,64 @@ - - Why do I sign emails, which I send? -

Signing emails.

Why do you sign all your messages?

The signature is evidence that message comes from me. If I sign all my messages, I can say that I sign all my messages and possibly unsigned offensive content, which is spoofed to "come" from my address, isn't sent by me.

But it doesn't prove anything, you can just leave offensive content unsigned.

True, I could do that. But I don't have habit of writing offensive text and saying that it doesn't come from me.

Your signature doesn't mean anything anyway, because you aren't part of any trust web.

Actually, I am, but my key is only signed by bots (see below).

You might have "import-minimal" or "import-clean" in your keyserver-options in your gpg.conf, so you don't see the signatures. If you don't have them, run

gpg --keyserver pool.sks-keyservers.net --refresh-keys 0x4DB53CFE82A46728

and signatures should appear.

NOTE: My key contains information, that my preferred keyserver is pool.sks-keyservers.net, so it's used with --refresh-keys with my key even if you speify another keyserver. This isn't the case if you use very old version of my key.

Why you don't get signatures from some bot certificate authority?

PGP Global Directory

I have got signature from PGP Global Directory, it wanted only to confirm my email addresses.

Hushmail

I have got signature from Hushmail. It wanted only to confirm email addresses too.

CAcert

According to "Locate assurer" feature at CAcert, the nearest assurer is 110KM away from me.

Why did you mention CAcert?

https://wiki.cacert.org/PgpSigning

Clearsigning/INLINE signing

Why do you GPG clearsign your emails instead of using PGP/MIME or something less spammy?

  1. Some mailing list software mess up with headers and make PGP/MIME signatures unverifiable at least to Enigmail. Some people say that that what those mailing lists do is completely valid. It's up to you to believe in Enigmail developers or other people.

    Which mailing lists do that?

    At least the following:

    1. Ubuntu mailing lists. See also bug 996581 at Launchpad.

    2. Mozdev mailing lists.

    3. GnuPG mailing lists.

  2. INLINE messages are easier to verify manually (presuming that charset doesn't cause problems).

    There are many web archives and sometimes people want to verify signatures of emails, which they didn't receive. Think about Debian BTS.

  3. K9 Mail doesn't support PGP/MIME.

  4. Debian BTS doesn't send working PGP/MIME back in subscribtion confirmations.

    In my opinion, it's easier to check did you request something with [Ðebian BTS] if it has content, which is signed with your key.

But clearsigned signature looks ugly.

This is the problem of your email client. If you use Thunderbird or Icedove or Seamonkey, you can probably install Enigmail and that signature block gets hidden. If you use some other email client, please report bug for that package in your distribution or upstream bug tracker.

I am on slow connection and your signature is too big for me.

And what does that have to do with INLINE signature? In PGP/MIME you would download the same mess, but inside signature.asc file.

Other things

Why did you write this page?

Because I am fed up explaining myself on some mailing lists. This page will be linked in my email signature and I will ignore every question about things, which read on this page.

So you are just ignorant and want to spam people?

I want to raise awareness about PGP and that it's very easy to spoof emails from addresses of other people. As stated previously, I will also ignore claims like that.

+ + + + + +Why do I sign emails, which I send? + + + + +

Signing emails.

+

Why do you sign all your messages?

+

The signature is evidence that message comes from me. If I sign all my messages, I can say that I sign all my messages and possibly unsigned offensive content, which is spoofed to "come" from my address, isn't sent by me.

+

But it doesn't prove anything, you can just leave offensive content unsigned.

+

True, I could do that. But I don't have habit of writing offensive text and saying that it doesn't come from me.

+

Your signature doesn't mean anything anyway, because you aren't part of any trust web.

+

Actually, I am, but my key is only signed by bots (see below).

+

You might have "import-minimal" or "import-clean" in your keyserver-options in your gpg.conf, so you don't see the signatures. If you don't have them, run

+
+

gpg --keyserver pool.sks-keyservers.net --refresh-keys 0x4DB53CFE82A46728

+
+

and signatures should appear.

+

NOTE: My key contains information, that my preferred keyserver is pool.sks-keyservers.net, so it's used with --refresh-keys with my key even if you speify another keyserver. This isn't the case if you use very old version of my key.

+

Why you don't get signatures from some bot certificate authority?

+

PGP Global Directory

+

I have got signature from PGP Global Directory, it wanted only to confirm my email addresses.

+

Hushmail

+

I have got signature from Hushmail. It wanted only to confirm email addresses too.

+

CAcert

+

According to "Locate assurer" feature at CAcert, the nearest assurer is 110KM away from me.

+

Why did you mention CAcert?

+

https://wiki.cacert.org/PgpSigning

+

Clearsigning/INLINE signing

+

Why do you GPG clearsign your emails instead of using PGP/MIME or something less spammy?

+
    +

  1. Some mailing list software mess up with headers and make PGP/MIME signatures unverifiable at least to Enigmail. Some people say that that what those mailing lists do is completely valid. It's up to you to believe in Enigmail developers or other people.

    +

    Which mailing lists do that?

    +

    At least the following:

    +
      +

    1. Ubuntu mailing lists. See also bug 996581 at Launchpad.

      2. +

    2. Mozdev mailing lists.

      3. +

    3. GnuPG mailing lists.

      4. +
    2. +

  2. INLINE messages are easier to verify manually (presuming that charset doesn't cause problems).

    +

    There are many web archives and sometimes people want to verify signatures of emails, which they didn't receive. Think about Debian BTS.

    3. +

  3. K9 Mail doesn't support PGP/MIME.

    4. +

  4. Debian BTS doesn't send working PGP/MIME back in subscribtion confirmations.

    +

    In my opinion, it's easier to check did you request something with [Ðebian BTS] if it has content, which is signed with your key.

    5. +
+

But clearsigned signature looks ugly.

+

This is the problem of your email client. If you use Thunderbird or Icedove or Seamonkey, you can probably install Enigmail and that signature block gets hidden. If you use some other email client, please report bug for that package in your distribution or upstream bug tracker.

+

I am on slow connection and your signature is too big for me.

+

And what does that have to do with INLINE signature? In PGP/MIME you would download the same mess, but inside signature.asc file.

+

Other things

+

Why did you write this page?

+

Because I am fed up explaining myself on some mailing lists. This page will be linked in my email signature and I will ignore every question about things, which read on this page.

+

So you are just ignorant and want to spam people?

+

I want to raise awareness about PGP and that it's very easy to spoof emails from addresses of other people. As stated previously, I will also ignore claims like that.

+