[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please revoke your signatures from Martin Kraff's keys

Hash: SHA1

Er, is it just me or isn't the point of gnupg that there *are* people
you *can't trust*.  We wouldn't be needing digital signatures if
everybody honoured the 'gentleman's agreement' that we should only
sign as ourselves (or at most as a pseudonym that can't be confused for
a real person) in plaintext email.

If the KSP is so weak that it depends on gentleman's agreements to
work, it's been cracked with unannounced malicious intent already, or
soon will be.

The whole point of the web of trust is that you should only say you
trust people you actually trust.  Personally I think a keysigning where
I only know people by ID, is at best a marginal trust.

GnuPG is about security, and security implies that there is a need to
be secure against someone or something.  In the case of GnuPG it's
people pretending to be something they are not.  If you depend on
'acceptable behaviour' to prevent abuse of this system you've already
lost, because the person is pretending to who they are not with
malicious intent, is not going to honour that understanding.  They also
won't tell you about it.

So, again, what's the point of security if it depends on 'acceptable
behaviour' or 'gentleman's agreements' to succeed?

- -- 
And that's my crabbing done for the day.  Got it out of the way early, 
now I have the rest of the afternoon to sniff fragrant tea-roses or 
strangle cute bunnies or something.   -- Michael Devore

Version: GnuPG v1.4.1 (GNU/Linux)


Reply to: