Robot CA at

Volker Gaibler
Thu Dec 5 22:12:03 2002

On Thu, Dec 05, 2002 at 11:43:12AM -0600, Kyle Hasselbacher wrote:
> bogus-but-signed key.  Challenge/response systems have the same problem,
> however.  In a sense, if the attacker can intercept the victim's email, the
> verification is working--the attacker DOES have access to that email
> address, and that's all the robot is trying to find out.  From the robot's
> point of view, there's no difference between this and two (or more) people
> who legitimately and knowingly share an email address.

But why use encryption at all in that case? Slightly simplified:
If someone can read your unencrypted mail (sysadmin or somebody sniffing
network traffic) - and that's what you want to prevent - also can create
bogus-but-signed keys.


 Volker Gaibler                                 contact:         
 OpenPGP key: 0x86ECAC0B
 get my public key from website above