-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Saturday 21 January 2012 at 10:01:51 PM, in <mid:[email protected]>, Robert J. Hansen wrote: > If they want to mess with you, they don't need your > permission. As is, you've explicitly asked them, > "would you please sign certificate 0xDEADBEEF, > fingerprint so-and-so, here's my credentials." True. > Then > they're signing it with *their* certificate, backed up > by credentials that you yourself checked. Except that you have no way of knowing if the certificate they use to sign the key will contain UIDs related to the credentials you were shown, or something completely different. > How is this a problem? > You've been making hay out of this for years and I've > yet to see any realistic example of this being a > problem. Please present one. People being rude, insensitive, and potentially insulting, *is* a problem. Not related to security but still a problem. If it were possible to enforce the "keyserver-no-modify" flag, this problem might well disappear. >> More importantly, they are signing UIDs that may well >> contain email addresses, without actually verifying >> that you "control" those email addresses. > Likewise, regarding making hay and a complete lack of > realistic examples. Are you suggesting it is sensible to check a person's name against government-issued documents but to attempt any verification of email addresses? - -- Best regards MFPA mailto:[email protected] A candle loses nothing by lighting another candle -----BEGIN PGP SIGNATURE----- iQCVAwUBTx3ksqipC46tDG5pAQrAQgQAnDBspHgabHHXQL7/M7ZRBPp8GjSau4Nd uwl4BK5HsS/L0BwOyJ0mE1tYl6vaXYFsx4PjqgIsAtgL+t31NDHwGylo69jWls4q tDCJ3g2TNZjmACdcZ46/sp0SWT6/185SJqK8/TcS4SuUUpuXN5bHYeHZk4malUzB gISjtERTmYk= =8fr3 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
