Re: [OT] Re: Things we should know about PGP
On Wed, 09 May 2012 23:22:09 +0200, Ralf Mardorf wrote:
> On Wed, 2012-05-09 at 20:22 +0000, Camaleón wrote:
>> What is what you understand by "dirty"?
>>
>> I can send the same spam, virus-inside or crap message with a signature
>> or without it. That changes nothing.
>>
>>
> dirty {adj} [fig.] e.g. remove words, add words.
So you meant that the content of the messages can't become "faked/
manipulated" when they are signed. If that's what you wanted to say, then
yes, signatures are also aimed for that.
But the problem still remains: in the event you can check the validity of
the signature you still can't be sure about its real author.
>> You can still get false-positives that make the signature cannot be
>> properly verified so you think the message is not legitimate while it
>> is.
>
> I did wrote something similar off-list to whomever, but it wasn't only
> about computers and signing mails:
(...)
> As I already pointed out. Somebody e.g. could hack the view of a
> mailing list archive, seemingly signed mails with edited
> contend. Than this wrong information is in the Internet,
> pretending to be the signed original. The mob will believe this
> is absolute truth. They are hungry for absolute truth. This is a
> loss of civilization.
It's even simpler than that, is that any piece of the software involved
in the message distribution chain can fail, i.e., they can have bugs that
render the signature verification proccess invalid.
> OTOH there are valid situations to sign messages.
Of course. Moreover, it should be "a must".
As I see it, the concept of verifying the author of a message is
completely valid and right, it's the implementation that fails because of
the way you have to trust the user you want to validate (human beings
have not developed a system to differ between a fake and a true thing,
our brains are very limited in that field and also very influenceable by
external sources).
Greetings,
--
Camaleón
Reply to: