[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OT: Email signing



On Tue, 2006-01-31 at 14:41 -0800, Gordon Messmer wrote:
> He'll see a message, either with an inline PGP signature, or an 
> attachment (depending on your client configuration), but won't have
> any indication that the signature is valid.  It's just some extra data
> in the message.  He'd have to install a PGP plugin for Outlook, and
> get your key's fingerprint from you in order to validate signed
> messages.
> 
> This is why I advocate SMIME: more people already have the software to
> validate your messages.

I think both systems have big problems:  

Both have quite a bit of complexity, both in getting them set up, and
understanding that you should really pay attention to "invalid"
warnings.  

Getting a certificate to prove who you are can be difficult.  And I have
concerns that some don't really do checks that would prove you are who
you say you are.  And even with a cert, it may just prove that the same
computer was used, but not prove whoever was typing on it.

Really verifying self-made PGP certificates is difficult.  It seems more
suited to trusting friends you've met in person (i.e. that you're really
getting mail from that guy you met yesterday, not someone sitting next
to him who heard you say your e-mail address out loud), but you don't
know who they really are unless you checked some other form of ID out
when you met them.  And again, a PGP-signed mail may just prove that you
got an e-mail from their computer, not prove who it was typing on their
keyboard.

-- 
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]