What email encryption is actually in use?

David Howe DaveHowe at gmx.co.uk
Mon Nov 4 01:29:01 PST 2002 

at Monday, November 04, 2002 2:28 AM, Tim May <tcmay at got.net> was seen
to say:
> Those who need to know, know.
Which of course is a viable model, provided you are only using your key
for private email to "those who need to know"
if you are using it for signatures posted to a mailing list though, it
just looks silly.

> You, I've never seen before. Even if you found my key at the Liberal
> Institution of Technology, what would it mean?
it would at least give us a chance to check the integrity of your post
(what a sig is for after all) and anyone faking your key on the servers
would have to prevent you ever seeing one of your own posts (so that you
can't check the signature yourself)

> Parts of the PGP model are ideologically brain-dead. I attribute this
> to left-wing peacenik politics of some of the early folks.
The Web-of-Trust model is mildly broken - all you can really say about
it is that it is better than the alternatives (X509 is not only badly
broken, but badly broken for the purpose of hierachical control and/or
profit)
In the current case, one reason to sign important posts is to establish
a pattern of ownership for posts, independent of real-world identity. If
I know that posts a,b & c sent from nym x are all signed, I will be
reasonably confident that key y is owned by the normal poster of nym x.
that I don't know who that is in meatspace is pretty irrelevant.
Where both systems break down is when trying to assert that key y is
tied to anything but an email address (or possibly a static IP). There
is little to bind a key to anything or anyone in the real world, unless
you meet in person, know each other reasonably well (if only via third
parties that can identify you both) and exchange fingerprints. in fact,
WoT is simply an attempt to automate this process offline, so that you
can be "introduced" to someone by a third party without all three of you
having to meet; you still have to make a value judgement based on how
sure you are about the third party's reliability and how confident they
seem about the identity of x - however in the real world, both of those
are vague, hard-to-define values and in the WoT they are rigid (you have
a choice of two levels of trust for an introducer, and no way to encode
how much third parties should rely on your identification)

More information about the cypherpunks-legacy mailing list