On 6/6/03 at 7:41 AM -0700, Phillip Hallam-Baker wrote:

Do you think that folk signing PGP keys are undertaking unlimited liability should the certification turn out to be incorrect?

No, but if Mary turns out to be someone who signs PGP keys for people I don't like, I can simply say "Don't trust Mary" in my PGP application and the things she signs won't show up as valid unless someone I do trust signs them. If RSA screws up and signs keys for people I don't like, I can't (practically) say "Don't trust RSA" without invalidating a bunch of keys that I probably do want to trust.

I'm not by any means saying that PGP is a perfect solution. It's just that the liability scenario is very different because amount of damage any given signer can do is much different.

Pete Resnick <mailto:[EMAIL PROTECTED]>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102

Reply via email to