Alexander W. Janssen wrote: > I just found this on the NCSA-ticker: > http://security.ncsa.uiuc.edu/wiki/NCSA_makes_secure_group_email_services_available > > Did anyone try this yet?
It does sound interesting, but how can I trust the signature of a key I know wasn't generated by the appropriate user? How can anyone trust the key the listserv generated for me? How can I be certain that at no point in the future the serve isn't going to forge a signature, since it has my private (use on list X only) key and passphrase? How does doubling the number of keys I have (normal GPG, and now list X) make my own key management simpler (as a simple end user)? What happens when I find myself on 3 or 4 of these lists? What error do I receive if I use the wrong key (or none at all)? I see how the admin holding a pool of keys could make it easier on him. Who decrypts my message encrypted to the listserve, and how does it get re-encrypted to each valid list subscriber? How do I know that that system isn't compromised? How do I know a rogue party isn't subscribed to the list too? Maybe because I'm just a casual end user, so I'm not "the market" for this. It could be useful within an organization. After all if my boss says "use this GPG key for all internal company email," then the most effort I'll put in is double checking with a couple other employees that they were told the same thing. But I wouldn't let any 'forced' trust permissions affect my personal GPG WoT. And if it is entirely within an organization, how does the complexity of this compare to: 1. key with shared password 2. a private 509x 3. a full 509x setup 4. running a listserve that decrypts and recrypts automatically under your own control, using regular GPG keys which may be backed by the WoT. I don't see an answer to any of these question on the webpages. (They could be hidden in the PDFs.) Or to ask the question the way I'd think Robert J. Hansen would ask it (and I'm not 100% certain I'm using the words right): What is my threat model, and how does this help? How does this compare to other solutions? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
