[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] PGP and Signed Messages,

Seth David Schoen writes:

> People also don't necessarily check it in practice.  Someone made fake
> keys for all of the attendees of a particular keysigning party in
> 2010 (including me); I've gotten unreadable encrypted messages from
> over a dozen PGP users as a result, because they believed the fake key
> was real or because software auto-downloaded it for them without
> checking the signatures.

This happened once again today, shortly after I wrote this message!
The person who made the mistake was a cryptography expert who has done
research in this area.  So I fear the web of trust isn't holding up
very well under strain, at least in terms of common user practices with
popular PGP clients.

Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to