On message signing and Enigmail...
jerry at seibercom.net
Wed Feb 1 22:19:45 CET 2012
On Wed, 01 Feb 2012 15:45:05 -0500
Robert J. Hansen articulated:
> Except that it doesn't. What's to prevent me from creating a
> certificate with your name and email address and making posts in your
> name, with a signature from a certificate that claims to be yours?
> Nothing -- and that signature is every bit as credible as the one
> that's from your own certificate. You might say, "but that
> certificate's a fraud, my certificate's real!", but the Christopher
> Walters impersonator will say the same thing about you. There's no
> way to check.
> I understand the desire to give people a way to verify the integrity
> of your message, but the way you're going about it has some glaring
> and obvious flaws.
I have to agree with Robert on this one. The whole idea of signing a
message in a forum such as this is more of a pseudo security concept
AKA "feel good" belief. It doesn't hurt to do it, but its usefulness is
limited to pacifying yourself into a false sense of security.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
More information about the Gnupg-users