Keys not trusted

David Shaw
Fri May 16 20:26:01 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 16, 2003 at 08:16:06AM +0200, Adrian 'Dagurashibanipal' von Bid=
der wrote:
> On Friday 16 May 2003 03:54, David Shaw wrote:
> > It's one of those eternal questions whether it is better if a system
> > is perfectly secure, but not many people use it, or if it is less
> > secure, and many people use it.  One way to put this is to ask whether
> > it is better to encrypt and be vulnerable to a man in the middle
> > attack... or to not encrypt and be vulnerable to everything ;)
> I guess for some the big is that the people using a
> security-made-easy system - where some vulnerabilities are traded
> against convenience - won't be aware of these vulnerabilities but
> just assume that their system is absolutely 100% secure. So, when
> the first attack comes that uses this well known (amongst those who
> care to know) vulnerability, people will yell 'but you promised us a
> secure system' - and there's nothing you can do. Telling them that
> it wasn't designed to be secure in this way will not help you, then.

Yes, this is absolutely true.  I'm not sure what the answer is for
that except perhaps education... and we all know that users don't read
the manuals ;)


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3-cvs (GNU/Linux)