-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/1/2012 03:45 PM, Robert J. Hansen wrote: > Except that it doesn't. What's to prevent me from creating a > certificate with your name and email address and making posts in your > name, with a signature from a certificate that claims to be yours? > > Nothing -- and that signature is every bit as credible as the one that's > from your own certificate. You might say, "but that certificate's a > fraud, my certificate's real!", but the Christopher Walters impersonator > will say the same thing about you. There's no way to check.
Nothing, true. However, I disagree with your statement that there is no way to check: one can check the headers of each message to see from where they originated. If one says it came from (my email name @ my ISP) and originated from my ISP, and the other shows a different origin, then the one showing a different origin would be suspect, while the one showing an IP address from my ISP, and showing that it came from my username, would be more able to be trusted. If neither originated from my ISP, then both are suspect. That is, unless you met the real me, verified that I am who I say I am, and signed my key - then it would add some very strong trust if you had signed one of those keys. If they both came from my ISP, and neither was signed by you or someone you trust, they would both be suspect. Before you mention it, I know that headers can be spoofed, however, I very much doubt that a troll or spammer would go to the trouble of creating a key-pair in my name to sign messages, as well as the trouble to spoof the headers. > I understand the desire to give people a way to verify the integrity of > your message, but the way you're going about it has some glaring and > obvious flaws. That is your opinion, and I can respect that. However, in showing the flaw in your argument that "there is no way to check", I cannot agree with your conclusion. I could have understood and agreed with your argument if you had said: 1. I have never met you. 2. By the standard of trust I use, I have to meet you to sign your public key. 3. No one I have met, who uses my standard of trust, has signed your key. Therefore, I do not know you well enough for your signature to have any meaning to me. To simply state that "the way you're going about it has some glaring and obvious flaws", when the only argument you used against it has its own flaws, does not meet my standard of logic in reasoned argument. > I can't argue against a feeling. No one can. Feelings are what they > are, and they are immune to the forces of reason. I am always open to logical arguments. However, in using logic alone, one must realize that two opposing logical arguments can be equally valid. As for arguing with a feeling, I see people doing that all the time and it's usually not pretty. ;) I do not believe there is *One True and Correct Answer* to this issue. I do feel it germane to point out that this IS the gnupg-users list, and if anywhere would be appropriate to sign messages, it would be here. Regards, Chris P.S. I could show a proof of concept very easily, to support my premise that the headers can be used to check which one is valid. However, it is a good deal of work for me, and it is really up to you to refute my argument. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJPKa7MAAoJEJ6vdel2qM1c3vwP/0IBh8EP8PuCuyhn1cS7TFoW deejwIUHz9kRObSpDPS67xml1WpsAnCvOSRzOi18csYqiMENjP8VvdwBFKCDRfh6 6T3mwDr0cnm9Va/XmJ+sPP0fItfzYpl4X6E41qvYWxZIZym5GSPUDPzTuVo7/Ae+ PhYaX0j83uSyfyJXl17fuRRVMclBX8pbKFwDxj9/uOXF+188Bub6XHiiv1YBObyj jN3EE3DA2vmBockNOhe2ol4EeOM9txVcNVLsuTp0FfbiRcYcXZb3zQFnCVzOf28Y T6JUtdHwc76pgjRbbUoQB8rG9ZN+amRxJuQHfiVuNrAJ9Q7WepLvbEhZJXmk9Y9W ho15DwRYxIIaNDsNDCfHWVbKgdnXOOOC0pIxS4/OtxAo+amH8nvbEyXeeqXbJn6U un08MzedcYJA6hifLGkR7BD9wjV4LYDb6Js9zJ8fWRTNZ5xb7sN7z3QX+to7I5XZ gkwtSAZ4P79IH9AP2HAW56i5CeB2mPRU54+9sqgtU/OaSw3ciZglvzshdtsSeFZm XAfIhllN6QZTXEXMXjs40VUk0w2ZqofwBfWMsFtUOgTUmn3LfZ+FP48j2Aqk0qg7 ImR/YN5xACD9iaFJYE8n2W3lxI63OyxqPMbJlUmp4dBP7pvAa7OfG5YBGBL5wnVV gUROQBL4nh4hZXmbQKfk =hjNc -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120201-0, 02/01/2012 Tested on: 2/1/2012 4:29:53 PM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
