mailing list pgp signatures...

Mikkel L. Ellertson mikkel at infinity-ltd.com
Sat Jul 11 00:38:37 UTC 2009


Bruno Wolff III wrote:
> On Fri, Jul 10, 2009 at 17:47:52 -0500,
>   "Mikkel L. Ellertson" <mikkel at infinity-ltd.com> wrote:
>> How does it maintain your identity when we can not verify that you
>> signed the message. Without having your public key, all we know is
>> that someone signed the message. So, your signing your messages sent
>> to the mailing list does nothing except cause problems for others.
> 
> Because the messages are signed with the same key. So whoever is creating
> the signed messages has access to the private key. Key servers don't add a lot
> of assurance on top of this. And they add a risk that it tells other parties
> who you are communicating with.
> 
How do you know they are signed by the same key, if you do not have
the public key to check it with?

As far as accessing key servers telling people who I am
communicating with, they can get the same information by looking at
the members of the mailing lists I am on. As far as people I
exchange encrypted messages with, I didn't get their keys off a key
server.

But getting keys from a key server does not tell anyone who you are
communicating with unless someone puts a lot of effort into it. It
is much easier to watch the mail traffic going through your mail server.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090710/5bc2d78b/attachment-0001.sig>


More information about the fedora-list mailing list