Web of Trust itself is the problem

Alex Mauer hawke at hawkesnest.net
Thu Jan 7 17:50:35 CET 2010

On 01/07/2010 09:45 AM, Daniel Kahn Gillmor wrote:
> Why is this all relevant?  There are good reasons why you might be
> interested in knowing that someone specific signed something public , of
> course (e.g. software signatures, advice on mailing lists or other fora,
> etc).  But for non-public communications: you *must* know who the remote
> endpoint is in order to have truly secret communications.  Without that
> knowledge, you are communicating with an unknown party, so who are you
> keeping things secret from?
> "secret" communications with an unknown remote party over a
> trivially-compromised communications medium are anything but secret.

They’re only unknown the first time you contact them.  It is useful to
know that the second time you contact foo at example.com it’s the same
party you contacted the first time.  Or that the phishing email you
received from bar at example.com didn’t actually come from the same party
you corresponded with last week.

Many people have correspondence with people they never have and never
will meet in person, and knowing that it’s always the same person is
still helpful.

-Alex Mauer “hawke”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100107/4fa385df/attachment-0001.pgp>

More information about the Gnupg-users mailing list