On Wed, Oct 17, 2007 at 09:34:34AM +0200, Sven Radde wrote: > Probably true, but how will spammers get signatures on their stuff that > are valid *for me*? They would have to compromise one of the keys that > are valid on my keyring or one that would be considered trustworthy by > means of the web-of-trust.
Why not just take some signed content from a key in the strong set, like this message, and add some unsigned spam to it? It would be a great way to ruin keys by making them "spam-keys." > Maintaining a dedicated database of "spam-keys" that had been > trustworthy but were used for spam would help, too (to assign messages > signed by those keys a bad score). (These are best revoked by their owners, of course.) Unfortunately, these databases might be naively implemented as keyservers, or existing keyservers could start being burdened with "votes" in the form of signatures and/or revocations from any number of signers (voters). At most, you would only want to publish fingerprints of such keys rather than helping propagate and/or bloat them. Worse, how do you determine that some replayed signed content was indeed replayed? Does everyone now have to start publishing lists of the hashes for all their unencrypted, signed messages and the intended recipient(s) for each message? How would these lists be verified? -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004
pgphdV7QHlDiV.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
