[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mysterious PGP release-signing keys



>> This is yet another a good example of why one should never confuse using
PK 
>> certificates with security.  An email PGP signature looks impressive but in
>> practice it is useless.
>
>It is usefull iff you can verify the validity of the used PK certificate.
>That's what the web of trust in PGP is for.
>

Unfortunately the "if" is false.  I have no idea if your fancy PK signature 
really represents you.  Just look at the recent trouble Black Unicorn has 
had with someone else using the same name affiliated with a key stored on 
the Network Associates PGP key server. Dave could not verify a PK signature 
for the PGP software distribution itself.  PKI, or a web of trust, looks 
good on paper but in practice it does not work when scaled up to large 
numbers of networked users.

- Alex
--

Alex Alten

[email protected]
[email protected]

P.O. Box 11406
Pleasanton, CA  94588  USA
(925) 417-0159