-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tuesday, August 08, 2000, 7:43:44 AM, David wrote:
> would not only need to download that persons key to check their
> signature, but you would also need to phone them or something, to
> check if the key really belongs to them. How many people here would
> want to do this. A PGP signature is useless otherwise - I could easily
> generate a key in someone elses name, and then even upload it to a
> keyserver.
Go ahead, do it. You're completely forgetting the web of trust. We don't
need to verify the identity of each person on the list, we only need to trust
people who sign the keys who have verified the people on the list /or/ form a
keyring with standards of acceptance which provide a reasonable assurance the
person is who they say they are when they submit the key.
Look at the Debian project and the PGP keys in use there. To get to be a
Debian developer you need to provide legal documents, go through a phone
interview /or/ be met, in person, by another Debian developer. That provides
a reasonable assurance that the keyring Debian provides has a high chance,
just as high if not HIGHER than Thawte keys, that the people contained in it
are real. Furthermore, I meet one person, verify his key, we sign each
other's keys (since we've met) and now we can trust each other's signatures on
/other/ keys.
That is what the web of trust provides. I trust that much more than some
corporation out there who can be paid to put a stamp on something.
> I prefer a 2.8K attachment with the signature, than the amount of
> visual noise created be a PGP message (not forgetting the "you can
> download my key at blahh......." bit.
Uhm, the visual noise can be filtered out by the client. See PMMail2k Pro
for this.
> purpose, a 2.8K attachment is a bit on the big side it does at least
> do it's job, the few hundred bytes of a PGP signature do nothing for
> me.
Because you chose to ignore what PGP has built up. Providing the SLIME
key in the message does nothing. "I signed this, really, see, here's my cert,
right here to verify along with the message." That is like not signing your
credit card, signing it in front of the clerk, and having them accept that
when they compare it against your signature on the receipt!
> S/MIME is well designed, and I wouldn't knock it.
SLIME is completely worthless in my view from what I've seen. There are
no assurances at all of people being who they say they are.
- --
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
ICQ: 5107343 | main connection to the switchboard of souls.
- -------------------------------+---------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
iQA/AwUBOZAnp3pf7K2LbpnFEQI2uQCdFvcn8hA165VAUn/tjGI/vOEm844AnAkK
LHfSaBT2ZavTYDJOb5rdSwhP
=cz3J
-----END PGP SIGNATURE-----
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : archive@jab.org
