On 01/12/2011 11:13 AM, Robert J. Hansen wrote: > Show me the worth in a signed message that has any of (a) an incorrect > signature, (b) from an invalid key, or (c) from someone you believe is > utterly untrustworthy.
As a devil's advocate, i'd point out that a message signed with a valid
key known to belong to someone who is utterly untrustworthy could be
used *against* the signer, by saying something like:
"look -- here is Mr. X claiming that he is going to poison the
reservoir. Please take this seriously, and note that it could only have
come from Mr. X because it is signed with his key."
This doesn't mean that Mr. X is actually going to poison the reservoir,
but the signature is a good argument that the reservoir guards should
investigate this particular individual -- that the message is not a
forgery from someone trying to tarnish Mr. X's reputation.
Signing a message makes you somewhat more vulnerable -- it is a
non-repudiable statement bound to your identity, which people can use
against you. It is also a way of standing behind what you are saying,
and accepting responsibility for it. This kind of tradeoff needs to be
made consciously, and is one of the reasons that you need to take good
care to protect your secret keys.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
