> >> I could almost bet my left index finger on the fact that 99%
> >> of those PGP-signatures are invalid. This is something that
> >> SA could exploit.
[..]
> I too have large gaps in the operation of PGP, but is it not tied to an
> email address or some other publicly available validation of the senders
> identity?
> What is the point of using a key for non-repudiation if you can't identify
> who sent the message?

I did not mean verifying the authenticity of the sender or the message,
but just a simple check to see if the data inside the PGP-signature is
actually a some sort of valid signature, or just some random ascii-crap.

As I mentioned earlier, battling this I guess can only be done by checking
if the PGP-data is valid (if it is a signature at all, or if it contains
stuff like HTML-tags etc).

What Chris had done (changing the PGP-scoring to 0) also works,
practically making the PGP-faking useless. :-)






-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to