Re: Authentication at toad.com: WTF?
-----BEGIN PGP SIGNED MATERIAL-----
On Wed, 30 Nov 1994, The new cypherpunks signature checking agent wrote:
The below message was found to have a valid signature from "JEFF LICQUIA (CEI) " JLICQUIA@mhc.uiuc.edu.
Apparently it was a spoof, but whatever. I'd be really bugged by the security implications of software claiming to have validated signatures; software that complains about bogus sigs is fine, since if it's spoofed it's only a warning, and if the warnings are deleted your trust is still somewhat limited unless you've verified the signatures yourself. Trusting someone else's verification is less than ideal security policy :-) Bill -----BEGIN PGP SIGNATURE----- Pgp-version: 32767 uhohovhoehvohfvoihvhoviheoivhefoivhefohvefohv jhjhohhuhvuhiuhewiuvhiuhfveiuhefviuhevhevhvhh -----END PGP SIGNATURE----- Cypherpunks signature checking agent: It's valid - trust me!
From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Trusting someone else's verification is less than ideal security policy :-) But likewise, preventing folks from letting someone else (their legal agent) perform verification for them is a less than ideal political policy. There are going to be lots of good reasons (mostly of cost) to use agency relationship for security. It would be profitable to characterize the threats and come up with some solutions rather than to deny that these things will happen. Eric
participants (2)
-
eric@remailer.net -
wcs@anchor.ho.att.com