This was EXACTLY my point as to why GPG/PGP for signing email is currently flawed the way it works now.
> Case in point: This discussion originated as a discussion > about using digital signatures to counter spam. Since > digital signatures, on today's Internet, are relatively > uncommon, they do not provide non-repudiation. > Thus, digital signatures cannot be used to prove one did not > send a given spam. > > Now, I am sure someone will say, "If you sign all your > messages, then the unsigned spam will be suspect, because it > lacks your digital signature." > > That again misses the most fundamental aspect of security: > Security is entirely about trust. Someone sending > illegitimate mail is, almost by definition, not to be > trusted. Thus, if you are suspected of sending an > illegitimate message, the fact that you nominally sign all > your messages does not impart trust. Indeed, one who > regularly traffics in illegitimate messages would be rather > more likely to sign all their legitimate mail. > Meanwhile, if you can, by other means, prove you are > trustworthy, the digital signature becomes superfluous. We > already know you are trustworthy; > thus, we don't need a digital signature to know you did not > send the illegitimate message. _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
