PGP/MIME considered harmful for mobile
Robert J. Hansen
rjh at sixdemonbag.org
Mon Feb 28 23:47:32 CET 2011
On 2/28/11 12:10 PM, David Shaw wrote:
> Well, I suppose that's up to you whether you want to trust RM or not.
> A question on trustworthiness is outside crypto, and not what the
> discussion was about here in any event.
First it was, "even signatures from non-validated keys belonging to
non-trusted persons can be significant, because it establishes
continuity of communications." Now it's, "a question on trustworthiness
is outside crypto."
Which is it? Are signatures from non-validated keys belonging to
non-trusted persons significant, or is trust outside the world of crypto?
Ultimately, it's perfectly reasonable to say "I trust that RM is not
screwing with me, and I trust that the key with fingerprint [...] really
belongs to him," and from there bootstrap into getting significant
signatures. But that doesn't invalidate the point of signatures needing
(a) be correct, (b) come from validated keys which (c) belong to trusted
persons. You're just saying, "I will trust whom I will trust, and I am
assuming the validity of this key."
More information about the Gnupg-users