On Thu, Oct 18, 2007 at 11:56:59PM -0400, Jason Harris wrote: > On Wed, Oct 17, 2007 at 09:34:34AM +0200, Sven Radde wrote: > > Probably true, but how will spammers get signatures on their stuff that > > are valid *for me*? They would have to compromise one of the keys that > > are valid on my keyring or one that would be considered trustworthy by > > means of the web-of-trust. > > Why not just take some signed content from a key in the strong set, > like this message, and add some unsigned spam to it? It would be > a great way to ruin keys by making them "spam-keys."
Why? I mean, what evidence is there that the owner of the key used to sign the signed content had anything to do with the unsigned content? Signed content in the interior of a message conveys no information about the trust one might choose to assign to the rest of the message. A properly written rule shouldn't care that there is signed content inside an unsigned message. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite.
pgpOANHr3vcgR.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
