BUG: Web of trust circumvention by secret key distribution
L. Sassaman
rabbi at quickie.net
Thu Dec 7 12:08:59 CET 2000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 7 Dec 2000, Rodney Thayer wrote:
> no. NAI PGP does that, and they end up with a user interface
> which causes you to treat all keys as "untrusted" unless you've
> signed them yourself.
That's not correct. PGP treats all keys as untrusted unless there is a
valid trust path to the key. That trust path can originate from a secret
key you possess on your key ring or from a third-party key you have
decided to trust.
There is nothing wrong with the system PGP uses. And, as Florian has
demonstrated, it is a lot safer than the current GnuPG system.
> Please, GPG's UI is nasty enough, let's not make it even harder to use.
User-interface issues are a related, but distinctly different, matter. I
am sure there is a way to make GnuPG behave safely and properly without
making it harder to use.
- --Len.
__
L. Sassaman
Security Architect | "The world's gone crazy,
Technology Consultant | and it makes no sense..."
|
http://sion.quickie.net | --Sting
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE6L+5oPYrxsgmsCmoRAu/SAJ9OiPCPpauveY+0p+OffHC5TbsMDACgoys9
2rGTRxUVu207lflguKj+Sac=
=5GZG
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list