Mutt/GnuPG doc initial release

Horacio homega@wanadoo.es
Tue Sep 25 13:10:01 2001


On Tue, Sep 25, 2001 at 03:30:21PM +1000, David K. Trudgett
wrote:

> On Tuesday 2001-09-25 at 06:33:37 +0200, Alexander Skwar
> wrote:
>=20
> > So sprach =BBDouglas Elznic=AB am 2001-09-24 um 18:00:51 -0400 :
> > > actuality all it did was delete files off the users
> > > hard drive. A pgp signature or more accurately a lack
> > > there of would have prevented people from assuming the
> > > code was from carol and running it. Is it really such a
> > > bother to you to have a couple of extra lines of text?
> >=20
> > Well, no, but the point is, that a signature wouldn't
> > have ment anything at all. If you haven't gotten the key
> > directly (that is
>=20
> This is not strictly true. Let me point out why, because it
> is a point that is often overlooked, although someone else
> on this list did bring it up just recently.
>=20
> If I have two messages signed with the same key, I can be
> reasonably confident that the same person signed both
> messages. If I have ten messages over a period of time
> signed with the same key, then I can be even more confident
> that the same person signed all of those messages.
>=20
> The point that is often overlooked is that "real-life"
> identity and "online" identity are two separate things, and
> a link does not necessarily have to be made between them.=20
So you could have growing trust on that key after more and more messages from the same sender come signed with it. Fair enough. But, do you really expect that people who neglect the golden security rule of "not running binaries or installing code sent to them or to public forums" to track the relationship between the sender and the key over time? There is no point in telling people to install strong secure door locks at their homes if they are going to leave their home doors opened. --=20 Horacio