[Enigmail] Usability issues
John W. Moore III
jmoore3rd at bellsouth.net
Tue Dec 11 15:33:16 PST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
LeRoy Cressy wrote:
> When a person sends back to you your private key signed you do not have
> to import the key into your keyring unless you know that it is from the
> proper person that you met at the meeting. When you verify that the key
> is from and only contains the addition of only the individual's
> signature and no other additional signatures then you should import the
> key into your keyring.
This is all well & good when dealing with Users who are both experienced
& polite. Sadly, all too often, Users forward Keys they have just
signed direct to the Keyservers "as a courtesy" or to make it as widely
known as possible that 'They' now Trust this Key. :(
As in the Example referenced by Robert, a nefarious individual would
create a Key with the UID 'AIDS Recovery Support Group' or 'Philadelphia
Skinheads for a Better America'; Sign Your Key with this Key with a
Trust Signature and then Upload it to the Keyservers. Whenever others
either Refreshed Your Key or downloaded it for the 1st time from a
Keyserver there the Signature would be. Many folks form 1st Opinions
without either checking with You or believing Your response if they do.
Once Your Key is on another's Keyring there is nothing to prevent them
from Uploading it to Keyservers with whatever modifications are
technically feasible. :( The only practical solution is to place Your
Key on Big Lumber [or perhaps PGP GD] and suggest that only a copy of
Your Key retrieved from there be given any credence.
JOHN ;)
Timestamp: Tuesday 11 Dec 2007, 18:33 --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8-svn4648: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: My Homepage: http://tinyurl.com/yzhbhx
Comment: MySpace Page: http://www.myspace.com/jmoore3rd
iQEcBAEBCgAGBQJHXx47AAoJEBCGy9eAtCsPXaIIAIxyV0uAffX7gJLT7DeNj3nj
WR6nqMwBelbWmaQsKCiWZf5xM99mK1tnTpg7kDeTZ8R2/8lL//HVqH1aPnZx38iJ
ikkjFEZB86zdfDMKGyBAlc6Kcfjez4EMAzIRRMtEtZ1wq+JitWKmIJUNSWRvh7fw
ylt2LJ3w0MjySZB5BMEGZcpqxlBhJQTyoiBtS/yAILZgEslwRuqBXz4rxicS25h9
LF69dL/MJQngLr0YvpHC+EcELrmyWKmonnqfl4FebVKuZORruovKpT2mNf0EqiAe
QVzSkCb3BHw0558U8oByInSL6ZCAfIhV9vBTtZEOhDX8BKuSqimsn+bK9gynVjg=
=qxF/
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list