On message signing and Enigmail...
Robert J. Hansen
rjh at sixdemonbag.org
Wed Feb 1 21:45:05 CET 2012
On 2/1/12 3:34 PM, Christopher J. Walters wrote:
> On the issue of signing: I do sign my messages, and have uploaded my
> public keys to key servers, so they are available to check that no
> one has changed my message.
Except that it doesn't. What's to prevent me from creating a
certificate with your name and email address and making posts in your
name, with a signature from a certificate that claims to be yours?
Nothing -- and that signature is every bit as credible as the one that's
from your own certificate. You might say, "but that certificate's a
fraud, my certificate's real!", but the Christopher Walters impersonator
will say the same thing about you. There's no way to check.
I understand the desire to give people a way to verify the integrity of
your message, but the way you're going about it has some glaring and
> In reply to the concept that it is meaningless, I will say that I
> feel that it adds a layer of trust (perhaps more than one, if you
> have one or more lines of trust to the poster) that the message was,
> in fact, posted by the person signing it, and that person stands
> behind what they say.
I can't argue against a feeling. No one can. Feelings are what they
are, and they are immune to the forces of reason.
That said, I consider this sentiment to be a close analogue of feeling
that statements given by argyle-wearing men who speak Occitan with a
lisp are more trusted than statements given by others. It's crazy.
It's just that it's your particular flavor of it, and I respect that.
Just don't ask me to subscribe to it. :)
(No perjoration is intended. We all have our own particular flavors of
More information about the Gnupg-users