Robot CA at

Volker Gaibler
Fri Dec 6 16:26:02 2002

On Fri, Dec 06, 2002 at 12:54:08PM +0100, Per Tunedal wrote:
> This is interesting! What can be done about this? Change the e-mailadress 
> and the key? I don't see any way to prevent it.

What kind of security is that when you don't care just because you've
got no solution? 

> How does MS Passport (and similar services) work? Passport will not mind if 
> the e-mail address is used by several people? It's very common on the web 
> with services that just validates the e-mail address. And they seem to work 
> so far ...

Common but not secure. Security is a little bit different of usual
engineering. It's not about "do it that way and if we find no problems
that'll be ok". The important thing about security is that you have to
be aware of the cases that did not happen yet - or at least nobody knows
about it.

As example: If your encryption isn't good (in this case: your signatures
aren't reliable) you will probably _never_ know that it was broken. How?
Mallory won't tell you he broke your encryption. So a good amount of
paranoia is necessary (peer review just isn't something different) to
minimize the risk.


 Volker Gaibler                                 contact:         
 OpenPGP key: 0x86ECAC0B
 get my public key from website above