From: Alex Alten <Alten@home.com>
Date: Fri, 25 Dec 1998 14:57:40 +0800
To: Patrick Feisthammel <pafei@rubin.ch>
Subject: Re: mysterious PGP release-signing keys
In-Reply-To: <3.0.3.32.19981223195440.00b29970@mail>
Message-ID: <3.0.3.32.19981224212522.009fd100@mail>
MIME-Version: 1.0
Content-Type: text/plain



>> This is yet another a good example of why one should never confuse using
PK 
>> certificates with security.  An email PGP signature looks impressive but in
>> practice it is useless.
>
>It is usefull iff you can verify the validity of the used PK certificate.
>That's what the web of trust in PGP is for.
>

Unfortunately the "if" is false.  I have no idea if your fancy PK signature 
really represents you.  Just look at the recent trouble Black Unicorn has 
had with someone else using the same name affiliated with a key stored on 
the Network Associates PGP key server. Dave could not verify a PK signature 
for the PGP software distribution itself.  PKI, or a web of trust, looks 
good on paper but in practice it does not work when scaled up to large 
numbers of networked users.

- Alex
--

Alex Alten

Alten@Home.Com
Alten@TriStrata.Com

P.O. Box 11406
Pleasanton, CA  94588  USA
(925) 417-0159