Seth David Schoen writes: > People also don't necessarily check it in practice. Someone made fake > keys for all of the attendees of a particular keysigning party in > 2010 (including me); I've gotten unreadable encrypted messages from > over a dozen PGP users as a result, because they believed the fake key > was real or because software auto-downloaded it for them without > checking the signatures.
This happened once again today, shortly after I wrote this message! The person who made the mistake was a cryptography expert who has done research in this area. So I fear the web of trust isn't holding up very well under strain, at least in terms of common user practices with popular PGP clients. -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk