The inherent issue with signing messages is trusting a third party.
(Supposing that third party can even keep everyone's keys straight.) That
third party, IE verisign, is unfortunately the only way to verify a key.
Personally, I wouldn't put any level of trust into anyone but myself when it
comes to my system security, and validating the authenticity of data.
-----Original Message-----
From:
plug-discuss-admin@lists.plug.phoenix.az.us
[
mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of William
Lindley
Sent: Wednesday, September 25, 2002 8:57 AM
To:
plug-discuss@lists.plug.phoenix.az.us
Subject: Re: Digital Signing (Beat The Dead Horse) was Re: Free Software
for m$
On Wed, 25 Sep 2002, Matt Alexander wrote:
> Derek, but signing gives reasonable assurance that the email received
> is really from him.
OK, I get a message. It's signed. How do I verify the authenticity of
the signature? Against what database? If User X writes a message, sends
it ostensibly from Derek, and signs it with a bogus key, how do I know
that, unless I already have Derek's key... and in fact some huge database
of keys somewhere... it sounds like a data management nightmare, how is
everyone supposed to keep track of everyone else's keys???
Still not getting it,
\\/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)