On Wed, Jan 2, 2013 at 2:36 PM, William Herrin <b...@herrin.us> wrote: > On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow > <morrowc.li...@gmail.com> wrote: >> goodness-scale (goodness to the left) >> signed > self-signed > unsigned > > Hi Chris, > > Self-signed and unsigned are identical. The "goodness" scale is: > > Encrypted & Verified (signed) > Encrypted Unsigned (or self-signed, > same difference) > Unencrypted but physically protected > Unprotected > >> I don't think there's much disagreement about that... the sticky >> wicket though is 'how much better is 'signed' vs 'self-signed' ? and I >> think the feeling is that: > > I don't see how "feeling" plays into it. > > Communications using an unverified public key are trivially vulnerable > to a man-in-the-middle attack where the connection is decrypted, > captured in its unencrypted form and then undetectably re-encrypted > with a different key. Communications using a key signed by a trusted > third party suffer such attacks only with extraordinary difficulty on > the part of the attacker. It's purely a technical matter. > > The information you're trying to protect is either sensitive enough > that this risk is unacceptable or it isn't. That's purely a question > for the information owner. No one else's opinion matters for squat.
I think we're talking past eachother :( I also think we're mostly saying the same thing... I think though that the 'a question for the information owner' is great, except that I doubt most of them are equipped with enough information to make the judgement themselves. -chris
