[Enigmail] Enignmail begginner
Phil Stracchino
alaric at metrocast.net
Sat Dec 27 08:57:25 PST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert J. Hansen wrote:
> Daryl Styrk wrote:
>> By simply signing a message your are assuring the recipient it is
>> actually coming from you and not someone borrowing your address for the
>> moment.
>
> This is a dangerous oversimplification.
>
> A signature can do this if and only if all of the following are true:
>
> 1. Your recipient knows you
> 2. Your recipient trusts you
> 3. Your recipient has verified your key fingerprint
> 4. Your recipient trusts your computer has not been hijacked
[snip]
> Of all the people I correspond with on the net, I can count on one hand,
> with fingers left over, the number of correspondents I have whose PGP
> signatures I would consider to have met #s 1-4. The overwhelming
> majority of PGP signatures on the net -- probably more than 99%, once
> you think about it -- are absolutely meaningless.
Now, you might read this and think "If more than 99% of signatures are
meaningless, then what's the point?" But where the point comes in is
that for signatures that are important to you, it is usually a matter of
comparatively little work to achieve the four conditions above, as long
as the owner of the signature has taken reasonable precautions to secure
their computer(s) and key. (In the cited example of a PGP proxy set to
auto-sign everything, the key was either completely unprotected or may
as well have been.)
In other words, the signatures that matter to you can usually be made
part of the 1% that are meaningful. If you're unable to establish
trust, then there's a problem you need to address, which may be human,
technical, or both.
- --
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAklWXnUACgkQ0DfOju+hMknPMwCfd1GjzYNyIrUQRiI0KqN67viz
iV4AoPhTkcplxlxbKmh5ztmh869chxTn
=sLSu
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list