Re: About PGP Signing a File.

Tony Arnold wrote:

Phil Zimmerman, who invented PGP, used to sign keys at conventions etc
or wherever he was appearing and I think you had to produce your
passport before he would sign it. So, a key signed by Phil is likely
top be reasonably trustworthy!

This is exactly the sort of thing someone attacking PGP likes to
hear. ;) You're assigning trust where you shouldn't because you blindly
believe PRZ's signature on a key helps make it "authentic". So getting
a PRZ endorsement becomes a very easily exploitable and reliable way to
wedge yourself into the whole digital signature process.

This is a prime example of how security is often more about how a
system can be exploited than it is about how robust the tools are.
Passports are trivial to forge, and PRZ would have had no prior
knowledge of most or any of these peoples' identities. Those things
alone make this sort of "puppy mill" key signing less than useless. An
actual, real life breach of protocol that should have never
happened, let alone be trusted. :(

--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/

Attachment: signature.asc
Description: PGP signature

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages