atom at suspicious.org
Mon Nov 15 17:50:00 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 15 Nov 2004, Moritz Schulte wrote:
> Could you please explain the rationale behind this header field slightly
> more verbose than you did in this paper? I am not convinced that is is
> Reason: keys should be on keyservers (keyservers are a standard) and all
> those information, which are to be encoded with this header field can be
> derived from the key itself. In other words: the only necessary
> information is something like a key ID (in case the mail is not signed).
> What am I missing?
let's say you get an email from "bob". you go to the keyservers and find
several keys that claim to belong to bob, but you're not sure which one(s)
are currently in use, or even which one ~really~ belongs to bob (none of
the keys are signed). this header ads a _convenience_ (that shouldn't be
considered secure!) to determine what key bob is using.
i've also run into cases where i find 2-3 (or more) keys that all have
several signatures, but i have no idea which one i'm supposed to use. more
often than not, the private key was lost on several of the old keys.
if this header is adopted as a standard, it could also allow MUAs to
import a key when replying (but it must be understood that it's a
convenience that may not be secure).
let's not fool ourselves, this is NOT secure... but as a convenience it's
rather cool. once a key is retrieved, the security burden (as always)
rests with the person who decides to import and use the key.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"According to Business Week, the average CEO [Chief
Executive Officer] made 42 times the average blue-collar
worker's pay in 1980, 85 times in 1990 and a staggering
531 times in 2000."
-- AFL-CIO 'Executive Paywatch'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
-----END PGP SIGNATURE-----
More information about the Gnupg-devel