On Tue, 2007-04-10 at 21:11 +0200, Magnus Holmgren wrote: > > You're wrong. My public key is available from the standard keyserver network. > wwwkeys.*.pgp.net, pgp.mit.edu, search.keyserver.net, and other servers that > exchange keys with them. And it's signed by several people too.
Except that there's no way to securely verify that this key was submitted by *you*. I can submit a key to the key server networks too, and claim it belongs to Magnus Holmgren. And have it signed by several other keys I hack up. (I was briefly considering doing that and signing this e-mail with it to bring the point home, but that would have been very bad karma.) In fact, a good percentage of the keys on the public key servers are now believed to be fake, especially those claiming to belong to well-known persons. And some of them have even been signed by real people who didn't know better, and replied to "please sign my key" requests. http://www.cymru.com/gillsr/documents/pgp-key-verification.htm A dual key signing system is only valuable if the public key can be 100% trusted to come from the person it claims to be coming from, and the private key is kept 100% safe. If either condition can't be fulfilled, it's slightly worse than useless. Mostly it's used with no purpose whatsoever except to say "look what I can do". Regards, -- *Art -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
