John Hasler wrote:
Pigeon writes:It would be possible for $CYBERSPY to crack the keyserver and replace $CYBERPAL's key with his own, then intercept all mails from $CYBERPAL, replace the signature and send them on.Which will do $CYBERSPY no good at all since his key will not carry any of the signatures that $CYBERPAL's does. The web of trust is not dependent on the security of the keyservers (indeed, the keyservers are not necessary at all: just convenient).
He was actually replying to me and I wasn't referring to the web of trust. From my perspective, if every e-mail I receive has $CYBERSPY's signature than I always know that I am talking to $CYBERSPY. Why should $CYBERSPY go through the trouble of intercepting e-mails from $CYBERPAL when he can just make things up on his own? In your[Pigeon] scenario, I have never interacted with $CYBERPAL, only with $CYBERSPY and I am basing my opinion on that interaction. Which is right, I am basing my opinion of $CYBERSPY on my interaction with $CYBERSPY.
Attachment:
pgpcIdPA4U2R3.pgp
Description: PGP signature