For those who missed it: Hushmail is pwnd
Dave Howe
DaveHowe at gmx.co.uk
Fri Nov 9 10:40:42 PST 2007
Sarad AV wrote:
> Now, how do we know which key distribution authority
> and which certifying authority to trust? Isn't this
> going to be a problem? Trust doesn't seen to work as
> well as it used to.
Trust has *never* worked in that sense - the WoT only really works
inside strongly connected sets (less than one in five of keys I have
obtained from the pgp keyservers have a signature from someone I would
trust to introduce people to me) and commercial CAs have always been
both lax in their checking (although a *little* more than "the check
clears") and happy to "co-operate" with law enforcement requests.
However, in a more limited sense, trust *does* work - I can rely on
keys I have checked myself, and have a limited number of people spread
across the world whose signatures I will trust to indicate they have
done the required checking themselves. Of course, now that the commonly
accepted hashes are suspect, I have to wonder about the viable lifespan
of a signed key...
More information about the cypherpunks-legacy
mailing list