I don't know how common this is, really. I've heard of all these things happening in isolation, but I've never heard of a someone stealing a laptop, searching for the key, cracking it open with a password cruncher, and then going out and ... doing some damage like stealing your value using a your cracked key.
The FBI broke into a gangsters place (legally) and placed a key logger on his keyboard to get his pgp password to break his crypto...
Self-signed certs have limitations. But, they are nice and cheap. You don't get everything for free, but you do get quite a lot.
CAcert is also free (well unless people want to donate to us :), but the added benefit is an impartial 3rd party (with NO monetary gains) will try to do as much checking as possible for as minimal cost as possible (due diligence), where as self signed certificates it's dicey, email addresses can be easily forged, and self signed certificates created within seconds... Hello encrypted spam!
Well, here's some due diligence: How much has been lost due to lack of 3rd party recovation capabilities in the OpenPGP or SSH or any world? Indeed, how much has been
SSH is a special case where you SHOULD be intermittently knowledgeable of the system you're connecting to, you don't go out and SSH machines you have no prior relationship with otherwise you're there for well non-legit reasons, you do go out and email people you have no prior relationship with, you do go out and connect to websites you have no prior relationship with etc etc etc....
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
