On 2/1/12 3:34 PM, Christopher J. Walters wrote: > On the issue of signing: I do sign my messages, and have uploaded my > public keys to key servers, so they are available to check that no > one has changed my message.
Except that it doesn't. What's to prevent me from creating a certificate with your name and email address and making posts in your name, with a signature from a certificate that claims to be yours? Nothing -- and that signature is every bit as credible as the one that's from your own certificate. You might say, "but that certificate's a fraud, my certificate's real!", but the Christopher Walters impersonator will say the same thing about you. There's no way to check. I understand the desire to give people a way to verify the integrity of your message, but the way you're going about it has some glaring and obvious flaws. > In reply to the concept that it is meaningless, I will say that I > feel that it adds a layer of trust (perhaps more than one, if you > have one or more lines of trust to the poster) that the message was, > in fact, posted by the person signing it, and that person stands > behind what they say. I can't argue against a feeling. No one can. Feelings are what they are, and they are immune to the forces of reason. That said, I consider this sentiment to be a close analogue of feeling that statements given by argyle-wearing men who speak Occitan with a lisp are more trusted than statements given by others. It's crazy. It's just that it's your particular flavor of it, and I respect that. Just don't ask me to subscribe to it. :) (No perjoration is intended. We all have our own particular flavors of crazy.) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
