At 09:56 PM 9/2/00 -0400, Arnold G. Reinhold wrote:
>At 3:48 PM -0700 9/1/2000, David Honig wrote:
>>At 09:34 AM 8/30/00 -0700, Ed Gerck wrote:
>>>
>>>BTW, many lawyers like to use PGP and it is a good usage niche. Here,
in the
>>>North Bay Area of SF, PGP is not uncommon in such small-group business
users.
>>
>>How do they exchange public keys? Via email I'll bet.
>>
>
>So what if they do? A Man in the Middle attack is difficult to mount
>and expensive to maintain. It is also easy to detect if the parties
>ever use out-of-band means to verify keys. I would judge the risk of
>a MITM attack as much lower than the risk of keys being stolen from
>the lawyers' computers.
I didn't make myself clear. I meant that PGP is perfectly useful
*without any keyservers*. I am in *favor* of people not publishing
their keys, except maybe if you were a business and *wanted* cold-calls
[1]. Sort of like a front-office line and a private back line.
[1] or access and ownership of the keyserver were limited (think corporate
online phone directory)
