Robot CA at toehold.com
Fri Dec 6 12:55:10 2002
At 16:03 2002-12-05 -0600, you wrote:
>This mail was signed (Inlined PGP-Message).
>,-----GnuPG output follows (current time: Fri, Dec 06 2002 - 09:09:51)--
>| Signerades 12/05/02 23:03:00 med hj=F5lp av DSA-nyckeln med ID=
>| Korrekt signatur fr=D5n "Kyle Hasselbacher <firstname.lastname@example.org>"
>`----------------------------------------------------BEGIN PGP SIGNED
>On Thu, Dec 05, 2002 at 09:52:39PM +0100, Volker Gaibler wrote:
>>On Thu, Dec 05, 2002 at 11:43:12AM -0600, Kyle Hasselbacher wrote:
>>> bogus-but-signed key. Challenge/response systems have the same=
>>> however. In a sense, if the attacker can intercept the victim's=20
>>> verification is working--the attacker DOES have access to that email
>>> address, and that's all the robot is trying to find out. From the=
>>> point of view, there's no difference between this and two (or more)=
>>> who legitimately and knowingly share an email address.
>>But why use encryption at all in that case? Slightly simplified:
>>If someone can read your unencrypted mail (sysadmin or somebody sniffing
>>network traffic) - and that's what you want to prevent - also can create
>That situation is made no worse by having non-working encryption.
>Hopefully the user gets a key working BEFORE people start sniffing. When=
>doppleganger shows up, hopefully people will notice. There's some=
>there, I know.
>Do you not bother to lock your bicycle when you know there are people with
>bolt cutters? Envelopes can be steamed open, but I still use them. What
>I'm proposing is "better than nothing". It is NOT absolute security. =
>merely better than the (terrible) security that's there now. Knowing=
>you're welcome not to use it. People who are none-the-wiser will get some
>benefit, perhaps without knowing it. If not, they're no worse off.
>I don't think I can prevent unsophisticated users from falling victim to
>sophisticated attackers. It's just a given. The determined attacker will
>get through this simple security.
>What I can do is stop the more casual attackers. If it's harder to get=
>opportunity to violate someone's privacy, it won't happen as often.
I believe this would be a great improvement.