-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Er, is it just me or isn't the point of gnupg that there *are* people you *can't trust*. We wouldn't be needing digital signatures if everybody honoured the 'gentleman's agreement' that we should only sign as ourselves (or at most as a pseudonym that can't be confused for a real person) in plaintext email.
If the KSP is so weak that it depends on gentleman's agreements to work, it's been cracked with unannounced malicious intent already, or soon will be. The whole point of the web of trust is that you should only say you trust people you actually trust. Personally I think a keysigning where I only know people by ID, is at best a marginal trust. GnuPG is about security, and security implies that there is a need to be secure against someone or something. In the case of GnuPG it's people pretending to be something they are not. If you depend on 'acceptable behaviour' to prevent abuse of this system you've already lost, because the person is pretending to who they are not with malicious intent, is not going to honour that understanding. They also won't tell you about it. So, again, what's the point of security if it depends on 'acceptable behaviour' or 'gentleman's agreements' to succeed? - -- And that's my crabbing done for the day. Got it out of the way early, now I have the rest of the afternoon to sniff fragrant tea-roses or strangle cute bunnies or something. -- Michael Devore -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEenZ9hvWBpdQuHxwRAqioAJ90MDtm99rqadrB9ix1wt6E/1bWbwCcCeBb fxIQww9KC+oAVaRrIpo3IO4= =ySo4 -----END PGP SIGNATURE-----
