[Enigmail] Enignmail begginner
Robert J. Hansen
rjh at sixdemonbag.org
Sat Dec 27 08:38:30 PST 2008
Daryl Styrk wrote:
> By simply signing a message your are assuring the recipient it is
> actually coming from you and not someone borrowing your address for the
> moment.
This is a dangerous oversimplification.
A signature can do this if and only if all of the following are true:
1. Your recipient knows you
2. Your recipient trusts you
3. Your recipient has verified your key fingerprint
4. Your recipient trusts your computer has not been hijacked
A few years ago Werner Koch posted a humorous message to gnupg-users
announcing that he had just received his first PGP-signed spam. A
spammer hijacked someone's machine and used it to send outbound spam.
The user had a PGP proxy set up to automatically sign all outgoing mail,
in the mistaken belief that simply by signing he could assure recipients
the mail was actually coming from him and not from someone borrowing his
address for the moment.
Of all the people I correspond with on the net, I can count on one hand,
with fingers left over, the number of correspondents I have whose PGP
signatures I would consider to have met #s 1-4. The overwhelming
majority of PGP signatures on the net -- probably more than 99%, once
you think about it -- are absolutely meaningless.
More information about the Enigmail
mailing list