On 15-10-01 13:05:28, Robert J. Hansen wrote: > > Whilst that is partially useful, surely it only vouches for the fact > > that the postings came from the same person and not who that person is - > > and as such is of very limited use. > > Yes. No. Somewhere in between. > > Some years ago a user on PGP-Basics was irate over how I refused to sign > my messages. My argument was basically the one you were using: that > nobody on the list had verified my identity and that made my signatures > of marginal use. This fellow insisted, and insisted rudely, so John > Clizbe, John W. Moore, and I all conspired together to make a point: we > created a keypair, shared it amongst us, and all three of us used the > exact same certificate to sign our emails. > > It took a few months for anyone to notice. > > So sure, yes, without identity verification it's hard to have confidence > in someone's legal identity, absolutely. But even with identity > verification, most people don't even bother to check to see that the > signing certificate's email address matches the one on the email. > Identity verification is a useful step: it's not a sufficient one by itself.
Doesn't all decent e-mail clients automagically check if a signature is legit and matches the known public key? /Jonas
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
