Bogus Key on Keyservers
Nicholas Cole
npcole at yahoo.co.uk
Sun Oct 16 19:09:27 CEST 2005
--- Tad Marko <tad at tadland.net> wrote:
> > You can't. That's like asking how you can stop
> other people from
> > printing out badges that say "I am Tad Marko" and
> pinning them to their
> > shirts.
>
> I'm not asking for that. I want them to not say that
> a given key goes
> to tad at tadland.net.
>
> > Besides, if you could do that, what would stop
> someone else from
> > deleting YOUR key off of the keyserver or flagging
> THEIR key as the real
> > Tad Marko?
>
> An email verification step?
The problem is, that IF the email infrastructure was
secure enough to be trusted, there would be no need
for pgp/gpg/smime at all. An email verification step
is not, and cannot be, 100% secure.
Of course, in many cases, email is not re-routed,
server admins can be trusted, email systems are not
broken in to - to the extent that email without
additional security is largely trusted as "good
enough".
But, in fact, if someone is willing to forge a key
with your name on, it is probably one of those times
that email may well not be "good enough". Hence the
need to rely on key fingerprints, not on the email
system.
Best,
Nicholas
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
More information about the Gnupg-users
mailing list