Mutt/GnuPG doc initial release

David K. Trudgett dkt@registriesltd.com.au
Tue Sep 25 07:33:02 2001


On Tuesday 2001-09-25 at 06:33:37 +0200, Alexander Skwar wrote:


> So sprach »Douglas Elznic« am 2001-09-24 um 18:00:51 -0400 :
> > actuality all it did was delete files off the users hard drive. A
> > pgp signature or more accurately a lack there of would have
> > prevented people from assuming the code was from carol and running
> > it. Is it really such a bother to you to have a couple of extra
> > lines of text?
>
> Well, no, but the point is, that a signature wouldn't have ment
> anything at all. If you haven't gotten the key directly (that is
This is not strictly true. Let me point out why, because it is a point that is often overlooked, although someone else on this list did bring it up just recently. If I have two messages signed with the same key, I can be reasonably confident that the same person signed both messages. If I have ten messages over a period of time signed with the same key, then I can be even more confident that the same person signed all of those messages. The point that is often overlooked is that "real-life" identity and "online" identity are two separate things, and a link does not necessarily have to be made between them. I know a lot of people online, but with whom I have never met, nor spoken to, nor seen. This does not mean I don't know them. It simply means I know the online identity and not the "real-life" persona. The "real-life" persona is very often irrelevant.
> from a face-to-face contact) or if it is at least signed by some
> known authority, there's no indication whatsoever that this key
> actually belongs to whoemever it says in the signature.
You will now see, I hope, why that statement is wrong. You are assuming that it is necessary to know the "real-life" persona, whereas in fact, that is a false assumption.
>
> If I'd sign this mail, would you be more confident that it actually
> is from me?
Indeed, I would, as explained above. However, you may still consider it not useful to have a high level of confidence that certain messages are from a particular "online" identity. I would suggest that if this is the case, it is probably only because email tampering and falsification is something that happens only very rarely in most people's experience. If it were ever to become the case that these things became much more common, then I would suggest your opinion would quickly change. David Trudgett