PGP/MIME considered harmful for mobile
Robert J. Hansen
rjh at sixdemonbag.org
Mon Feb 28 03:38:43 CET 2011
> I disagree with this. Obviously a bad signature doesn't say much (except perhaps "check your mail system - it's breaking things"), but there is still value in the continuity between multiple signed messages. It's important to not make of that more than it is: for all I know there are 200 people all sharing key 1CF3A917, but it does raise the bar for someone who wants to claim to be Martin.
I used to believe this, up until John Moore, John Clizbe and I did a small experiment on PGP-Basics. We all shared a certificate and used it to sign our emails. It was literally weeks before anyone noticed.
Continuity is a great idea, but based on my own (limited and anecdotal) experience, it does not play a significant role in the real world. Unfortunately, I don't have anything more empirical to stand upon than that one ad-hoc experiment!
More information about the Gnupg-users