Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT
Chris Woodfield
rekoil at semihuman.com
Wed Jul 10 19:31:39 UTC 2002
Which is why the "web of trust" exists. And why people do keysignings at NANOG
events. And why, at least on my mail client, the signature shows the email
address of its owner. If Scott spoofs and email from me and signs it with his
key, people will notice.
-C
> If people judge authenticity based on the simple fact that a message is
> signed, that's just as useless. Why wouldn't the spoofed email be signed
> with somebody else's key, to make it past all those people who merely
> check to see if it's signed?
>
> The _only_ way to verify authenticity is to check the signature. By
> signing every single email sent, you endanger yourself by allowing your
> recipients to judge the authenticity of your emails simply by the
> existence of a pgp signature.
>
> Therefore, you should only sign emails that contain information important
> enough that verification is necessary, otherwise nobody will check.
>
> Andy
>
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Andy Dills 301-682-9972
> Xecunet, LLC www.xecu.net
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Dialup * Webhosting * E-Commerce * High-Speed Access
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20020710/bc0a7337/attachment.sig>
More information about the NANOG
mailing list