1998-12-25 - Re: mysterious PGP release-signing keys

Header Data

From: Alex Alten <Alten@home.com>
To: Patrick Feisthammel <pafei@rubin.ch>
Message Hash: b1dee2f61a39556a3bbfd29a6775c0c1000c0b467b05c0676aeae131e90f7ea1
Message ID: <>
Reply To: <>
UTC Datetime: 1998-12-25 06:57:40 UTC
Raw Date: Fri, 25 Dec 1998 14:57:40 +0800

Raw message

From: Alex Alten <Alten@home.com>
Date: Fri, 25 Dec 1998 14:57:40 +0800
To: Patrick Feisthammel <pafei@rubin.ch>
Subject: Re: mysterious PGP release-signing keys
In-Reply-To: <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain

>> This is yet another a good example of why one should never confuse using
>> certificates with security.  An email PGP signature looks impressive but in
>> practice it is useless.
>It is usefull iff you can verify the validity of the used PK certificate.
>That's what the web of trust in PGP is for.

Unfortunately the "if" is false.  I have no idea if your fancy PK signature 
really represents you.  Just look at the recent trouble Black Unicorn has 
had with someone else using the same name affiliated with a key stored on 
the Network Associates PGP key server. Dave could not verify a PK signature 
for the PGP software distribution itself.  PKI, or a web of trust, looks 
good on paper but in practice it does not work when scaled up to large 
numbers of networked users.

- Alex

Alex Alten


P.O. Box 11406
Pleasanton, CA  94588  USA
(925) 417-0159