Mutt/GnuPG doc initial release
Horacio
homega@wanadoo.es
Tue Sep 25 13:10:01 2001
On Tue, Sep 25, 2001 at 03:30:21PM +1000, David K. Trudgett
wrote:
> On Tuesday 2001-09-25 at 06:33:37 +0200, Alexander Skwar
> wrote:
>=20
> > So sprach =BBDouglas Elznic=AB am 2001-09-24 um 18:00:51 -0400 :
> > > actuality all it did was delete files off the users
> > > hard drive. A pgp signature or more accurately a lack
> > > there of would have prevented people from assuming the
> > > code was from carol and running it. Is it really such a
> > > bother to you to have a couple of extra lines of text?
> >=20
> > Well, no, but the point is, that a signature wouldn't
> > have ment anything at all. If you haven't gotten the key
> > directly (that is
>=20
> This is not strictly true. Let me point out why, because it
> is a point that is often overlooked, although someone else
> on this list did bring it up just recently.
>=20
> If I have two messages signed with the same key, I can be
> reasonably confident that the same person signed both
> messages. If I have ten messages over a period of time
> signed with the same key, then I can be even more confident
> that the same person signed all of those messages.
>=20
> The point that is often overlooked is that "real-life"
> identity and "online" identity are two separate things, and
> a link does not necessarily have to be made between them.=20
So you could have growing trust on that key after more and
more messages from the same sender come signed with it. Fair
enough.
But, do you really expect that people who neglect the golden
security rule of "not running binaries or installing code
sent to them or to public forums" to track the relationship
between the sender and the key over time?
There is no point in telling people to install strong secure
door locks at their homes if they are going to leave their
home doors opened.
--=20
Horacio