[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mysterious PGP release-signing keys
>> This is yet another a good example of why one should never confuse using
>> certificates with security. An email PGP signature looks impressive but in
>> practice it is useless.
>It is usefull iff you can verify the validity of the used PK certificate.
>That's what the web of trust in PGP is for.
Unfortunately the "if" is false. I have no idea if your fancy PK signature
really represents you. Just look at the recent trouble Black Unicorn has
had with someone else using the same name affiliated with a key stored on
the Network Associates PGP key server. Dave could not verify a PK signature
for the PGP software distribution itself. PKI, or a web of trust, looks
good on paper but in practice it does not work when scaled up to large
numbers of networked users.
P.O. Box 11406
Pleasanton, CA 94588 USA