[RCD] PGP - GPG ?

chris# chris# at codewarehouse.NET
Thu Jan 24 17:43:50 CET 2008




On Wed, 23 Jan 2008 16:36:23 +0100, "Maximilien Cuony [The_Glu]" <maximilien at theglu.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
>> On one last note; I can't help but notice the omission of keyservers
>> in any of these scenarios. I mean you /must/ use them. Yet nobody
>> even mentions the possibility of /them/ being trustworthy.
> 
> Just to be sure, you're speaking about checking signs with key on servers
> (like pgp.mit.edu) ?

Or:
wwwkeys.pgp.net, or www.keyserver.net, or subkeys.pgp.net, or
blackhole.pca.dfn.de, or pks.aaiedu.hr, or random.sks.keyserver.penguin.de.

Yes. :)

--Chris

> 
> Regards,
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: http://firegpg.tuxfamily.org
> 
> iEYEARECAAYFAkeXXvIACgkQjKKs5/FTCjVtzQCdEbI/7X8nbGF4ty3W0sJ9nNWp
> vAQAn0TZKGI7kK0g+od60alY3JtWCBl8
> =SC3e
> -----END PGP SIGNATURE-----
> 
> 
> On Fri, 18 Jan 2008 02:56:12 -0800, chris# <chris#@codewarehouse.NET>
> wrote:
>>
>>
>>
>> On Thu, 17 Jan 2008 20:22:41 +0100, till <klimpong at gmail.com> wrote:
>>> Dear Maximilien,
>>>
>>> On Jan 17, 2008 4:17 PM, Jason Fesler <jfesler at gigo.com> wrote:
>>>> (...)
>>>> Oh well, off my soap box.  Implement what you want.  I just hope any
>>>> README or whatever includes some paranoia.
>>>
>>> +1
>>>
>>> I'm not strictly against this feature but then again I wouldn't upload
>>> my key to *any* provider.
>>>
>>> Think about the general risk. I am not saying that someone will spy on
>>> you and steal your key but what if they get hacked etc..
>>
>> Then their ssl certs will /also/ be at risk. Hell, It /really/ is not
>> difficult
>> to "lift" their certs, and implement a little DNS cache poisoning and
>> claim to be them. Then /you/ as their user will continue to use a server
>> you /believe/ to be them. While all the while, they're (the hackers)
>> in complete control of your mail. Phishing also comes to mind.
>>
>>> There are
>>> multiple scenarios that come to mind. I guess it's fine to have this
>>> feature when you are in total control of your environment and don't
>>> mind the risk.
>>>
>>> Anyway, having said that - and since no one else said, "OH I AM
>>> WORKING ON THIS", go knock yourself out. ;-)
>>
>> I believe it is a worthy cause in both cases. It would simply be more
>> feasible as a "server side" solution.
>>
>> On one last note; I can't help but notice the omission of keyservers
>> in any of these scenarios. I mean you /must/ use them. Yet nobody
>> even mentions the possibility of /them/ being trustworthy.
>>
>>>
>>> Till
>> /////////////////////////////////////////////////////
>> Service provided by hitOmeter.NET internet messaging!
>> .
>>
>>
>> _______________________________________________
>> List info: http://lists.roundcube.net/dev/
> --
> Maximilien Cuony [The_Glu]
> http://theglu.org
/////////////////////////////////////////////////////
Service provided by hitOmeter.NET internet messaging!
.


_______________________________________________
List info: http://lists.roundcube.net/dev/



More information about the Dev mailing list