1993-07-12 - Re: Radical Paranoia?

Header Data

From: dmandl@lehman.com (David Mandl)
To: mdiehl@triton.unm.edu
Message Hash: 4973be90d00ca7c04e4b74759019ebbce023250f5ef2c3f2f7dd8ef89d9753de
Message ID: <9307121350.AA06834@disvnm2.shearson.com>
Reply To: N/A
UTC Datetime: 1993-07-12 13:50:48 UTC
Raw Date: Mon, 12 Jul 93 06:50:48 PDT

Raw message

From: dmandl@lehman.com (David Mandl)
Date: Mon, 12 Jul 93 06:50:48 PDT
To: mdiehl@triton.unm.edu
Subject: Re: Radical Paranoia?
Message-ID: <9307121350.AA06834@disvnm2.shearson.com>
MIME-Version: 1.0
Content-Type: text/plain


> From: J. Michael Diehl <mdiehl@triton.unm.edu>
> 
>      Lets say someone emails me a key and the return address matches that of
> the address in the key.  Do I assume no one is spoofing me?  You have to
> admit that this is possible albeit unlikely.  What good is key certification
> if it only "probably valid?"  I've noticed that many of the keys on the
> server are signed with the same person's key.  I doubt that these people
> have had physical contact with each of the people who's key that they've
> signed.  Am I just being paranoid, or is there a valid issue here?  I
> welcome any of your comments.

Anything is possible.  It's best to play it VERY safe when it comes to
certifying or accepting keys.  The ideal thing is to accept only keys
that have been signed by a key you know to be good.  Start with a key
that's been handed to you personally (or that you are absolutely certain
is legit), and work from there.

Some folks (bless them) have signed oodles of keys and are very trustworthy;
if you can work through the web to them eventually (being careful along
the way about who you trust as a certifier), you'll eventually have a windfall.

No, most people on the public servers have probably not met face to face;
they've worked their way to each other using trusted signatures and certifiers.
Just be careful about who you trust.

   --Dave.





Thread