Mutt/GnuPG doc initial release

David K. Trudgett dkt@registriesltd.com.au
Tue Sep 25 07:33:02 2001 

On Tuesday 2001-09-25 at 06:33:37 +0200, Alexander Skwar wrote:


> So sprach »Douglas Elznic« am 2001-09-24 um 18:00:51 -0400 :

> > actuality all it did was delete files off the users hard drive. A

> > pgp signature or more accurately a lack there of would have

> > prevented people from assuming the code was from carol and running

> > it. Is it really such a bother to you to have a couple of extra

> > lines of text?

> 

> Well, no, but the point is, that a signature wouldn't have ment

> anything at all.  If you haven't gotten the key directly (that is


This is not strictly true. Let me point out why, because it is a point
that is often overlooked, although someone else on this list did bring
it up just recently.

If I have two messages signed with the same key, I can be reasonably
confident that the same person signed both messages. If I have ten
messages over a period of time signed with the same key, then I can be
even more confident that the same person signed all of those messages.

The point that is often overlooked is that "real-life" identity and
"online" identity are two separate things, and a link does not
necessarily have to be made between them. 

I know a lot of people online, but with whom I have never met, nor
spoken to, nor seen. This does not mean I don't know them. It simply
means I know the online identity and not the "real-life" persona. The
"real-life" persona is very often irrelevant.




> from a face-to-face contact) or if it is at least signed by some

> known authority, there's no indication whatsoever that this key

> actually belongs to whoemever it says in the signature.


You will now see, I hope, why that statement is wrong. You are
assuming that it is necessary to know the "real-life" persona, whereas
in fact, that is a false assumption.



> 

> If I'd sign this mail, would you be more confident that it actually

> is from me?


Indeed, I would, as explained above. However, you may still consider
it not useful to have a high level of confidence that certain messages
are from a particular "online" identity. I would suggest that if this
is the case, it is probably only because email tampering and
falsification is something that happens only very rarely in most
people's experience. If it were ever to become the case that these
things became much more common, then I would suggest your opinion would
quickly change.


David Trudgett