On Thu, 2004-05-06 at 22:27, Bob Rogers wrote: > From: Sean Quinlan <[EMAIL PROTECTED]> > Date: Thu, 06 May 2004 11:13:43 -0400 > > . . . > > I also digitally sign my emails, which I wish more people took advantage > of. I don't know of a virus yet that can fake a gpg signature . . . > > The virus wouldn't have to fake it. There is nothing that prevents a > virus author from creating a valid key for a fictitious individual and > signing the initial virus message. You wouldn't be able to find the > key, because it wouldn't exist on any key server (putting it there might > give away the identity of the author), so you could never prove that it > wasn't valid.
Which is why I believe I mentioned in one of my posts all of this is moot unless you can verify the signature. Which requires contacting them directly at some point, or trusting someone who has signed my key already. > So there's a chicken-and-egg problem here: Validating signatures is > not very useful, which makes signing not very useful, Except it brings up occasional discussions about it, which I think is useful. ;-} And a few friends and co-workers also use it. Of course I'd like to add an outgoing filter that automatically encrypts emails that are being sent directly to someone I have a key for too. ... Just cause :) > which means there > aren't many signatures to validate. Which in turn is probably why virus > authors don't bother to fake signatures; I suspect most virus victims > have never even seen a signed email. But all that may be a good thing; > it will postpone the day when people set their passphrase cache lifetime > to 10 years and let viruses sign away the value of their private keys. > If and when that happens, and it might be inevitable, it will dilute the > value of digital signatures generally, which will not be a good thing. I admit that I currently do cache my passphrase. A habit of laziness I know I'll need to give up once someone writes a virus that uses my MUA to generate outgoing email. However, since Evolution isn't automatically executing anything in emails I receive, I'm hoping that day will be a long way off. > Hey yeah. BTW, anyone want to get to the next meeting early and do some > key signing? > > Now *that* would be a good thing. =D > P.S. I'm having a strong sense of deja vu now; have I sent this post > before? Perhaps in a previous life? Or a different list? -- Sean Quinlan <[EMAIL PROTECTED]> _______________________________________________ Boston-pm mailing list [EMAIL PROTECTED] http://mail.pm.org/mailman/listinfo/boston-pm
