PGP/MIME considered harmful for mobile

Robert J. Hansen rjh at
Mon Feb 28 03:38:43 CET 2011

> I disagree with this.  Obviously a bad signature doesn't say much (except perhaps "check your mail system - it's breaking things"), but there is still value in the continuity between multiple signed messages.  It's important to not make of that more than it is: for all I know there are 200 people all sharing key 1CF3A917, but it does raise the bar for someone who wants to claim to be Martin.

I used to believe this, up until John Moore, John Clizbe and I did a small experiment on PGP-Basics.  We all shared a certificate and used it to sign our emails.  It was literally weeks before anyone noticed.

Continuity is a great idea, but based on my own (limited and anecdotal) experience, it does not play a significant role in the real world.  Unfortunately, I don't have anything more empirical to stand upon than that one ad-hoc experiment!

More information about the Gnupg-users mailing list