PGP/MIME considered harmful for mobile

[David Shaw]

On Feb 27, 2011, at 10:05 PM, Robert J. Hansen wrote:

>> I'm not at all surprised that you had those results.  A limited subset of people have support for OpenPGP signatures.  A limited subset of those people actually verify signatures.  A limited subset of those people actually pay attention to what those signatures say.
> 
> Yes: but one would hope that on PGP-Basics those "limited subsets" would be present in significant numbers, much as on GnuPG-Users.

I wouldn't hope that.  Or perhaps, I might hope that, but certainly not expect it.  Do you check the signatures on each message you get on PGP-Basics of GnuPG-Users?  I certainly don't.  The fact that a message is signed on a public list is of little interest to me.  Barring a situation like the Martin/Fake Martin we're talking about (i.e. if someone felt they were being spoofed and called the group's attention to it), I probably wouldn't bother to look at the signatures at all.

>> It is reasonable that if someone was being masqueraded, that person would speak up and challenge the forger (e.g. "Hey, you're not Martin!  I'm the real Martin, and I can prove it by signing this message with the same key I've used all along....").  If the real Martin waited for someone else to notice, well, he may end up waiting for a long time.
> 
> I'm not sure this is reasonable.  If the real Martin doesn't care about what I'm saying, what motive does he have to check the signatures on my messages?

I think we're missing each other here.  We have Martin (the real one), the fake Martin (let's call him "Marty"), and various other people on a mailing list.  Martin always signs his messages.  One day Marty shows up and tries to pretend to be Martin.  Martin, not wanting someone else to pretend to be him, can easily say: "You're not Martin.  I am Martin, and I can prove it: I have signed this message with the same key that I've used for all my other messages".

David