-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
> On one last note; I can't help but notice the omission of keyservers > in any of these scenarios. I mean you /must/ use them. Yet nobody > even mentions the possibility of /them/ being trustworthy. Just to be sure, you're speaking about checking signs with key on servers (like pgp.mit.edu) ? Regards, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iEYEARECAAYFAkeXXvIACgkQjKKs5/FTCjVtzQCdEbI/7X8nbGF4ty3W0sJ9nNWp vAQAn0TZKGI7kK0g+od60alY3JtWCBl8 =SC3e -----END PGP SIGNATURE----- > On Fri, 18 Jan 2008 02:56:12 -0800, chris# <[EMAIL PROTECTED]> > wrote: >> >> >> >> On Thu, 17 Jan 2008 20:22:41 +0100, till <[EMAIL PROTECTED]> wrote: >>> Dear Maximilien, >>> >>> On Jan 17, 2008 4:17 PM, Jason Fesler <[EMAIL PROTECTED]> wrote: >>>> (...) >>>> Oh well, off my soap box. Implement what you want. I just hope any >>>> README or whatever includes some paranoia. >>> >>> +1 >>> >>> I'm not strictly against this feature but then again I wouldn't upload >>> my key to *any* provider. >>> >>> Think about the general risk. I am not saying that someone will spy on >>> you and steal your key but what if they get hacked etc.. >> >> Then their ssl certs will /also/ be at risk. Hell, It /really/ is not >> difficult >> to "lift" their certs, and implement a little DNS cache poisoning and >> claim to be them. Then /you/ as their user will continue to use a server >> you /believe/ to be them. While all the while, they're (the hackers) >> in complete control of your mail. Phishing also comes to mind. >> >>> There are >>> multiple scenarios that come to mind. I guess it's fine to have this >>> feature when you are in total control of your environment and don't >>> mind the risk. >>> >>> Anyway, having said that - and since no one else said, "OH I AM >>> WORKING ON THIS", go knock yourself out. ;-) >> >> I believe it is a worthy cause in both cases. It would simply be more >> feasible as a "server side" solution. >> >> On one last note; I can't help but notice the omission of keyservers >> in any of these scenarios. I mean you /must/ use them. Yet nobody >> even mentions the possibility of /them/ being trustworthy. >> >>> >>> Till >> ///////////////////////////////////////////////////// >> Service provided by hitOmeter.NET internet messaging! >> . >> >> >> _______________________________________________ >> List info: http://lists.roundcube.net/dev/ > -- > Maximilien Cuony [The_Glu] > http://theglu.org -- Maximilien Cuony [The_Glu] http://theglu.org _______________________________________________ List info: http://lists.roundcube.net/dev/
