Hi,
From: Chris Garrigues
Subject: Re: PGP/GPG signatures
Date: Tue, 08 Oct 2002 15:33:30 -0500
> > From: [EMAIL PROTECTED]
> > Date: Wed, 09 Oct 2002 05:16:31 +0900 (JST)
> >
> > I wouldn't want this to be the case for messages that claim to be from
> > someone on my keyring (at least not until spammers start sucking
> > information off of keyservers and customize their spam according to
> > people who have signed your key) or whitelist. I don't think every
> > PGP user is diligent about creating a new key when an old expires for
> > instance (I believe it would be better if they did, of course).
>
> Are you suggesting that spammers might crack pgp and send messages
> that appear to be signed by someone on my keyring?
Hmmm, what I wrote is confusing -- sorry about that. I didn't mean to
suggest anything about PGP being cracked by spammers.
What I meant was that I wouldn't necessarily want invalid signatures
[1] to be rejected (specifically, there are the cases of the date or a
bug in the verification software being the cause of invalidity --
that's one case where I don't want automatic rejection).
I think the bit about spammers sucking keyrings off of key servers was
my brain short circuiting. My apologies.
[1] All this "signature" stuff is kind of inadequate in the long term
w/o some kind of notarization anyway -- consider the case where
one's secret key leaks and back-dated messages are forged. W/o
some additional mechanism, here's no way to tell these apart from
legitimate "signatures".
_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users
