No subject

[Andrew Gallagher]

On 03/07/2019 14:00, Roland wrote:

> 1/ Perhaps the fear of compromised communication (including
> distributed software, private messages) can be mitigated by
> practicing short feed back lines: confirmations. Like "did you get my
> communication, what did it say?"

If your communication pathway is untrustworthy, it is more effective to
use multiple independent lines of communication than multiple messages
over the same channel. This is still not foolproof, but it significantly
increases the difficulties faced by an attacker. That said, if you've
already leaked your secrets over the insecure channel it may be too late
for you.

> 2/ Perhaps one should not give too much trust to a WoT at all. After
> all, a crook can pretend to be a friend, and thus yield the entire
> WoT untrustworthy

This is not quite true - if I am the recipient of a message, I must
explicitly assign "signing trust" to all the links in the signature
chain, in addition to assigning "identity verification" to the root of
that chain. I can also assign "marginal trust" so that more than one
verification pathway is required, to protect against duplicitous
individuals.

But you're right, these subtleties are why WoT never took off. :-)

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190703/926e66c9/attachment.sig>