On Wed, 23 Jan 2008 16:36:23 +0100, "Maximilien Cuony [The_Glu]" maximilien@theglu.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
On one last note; I can't help but notice the omission of keyservers in any of these scenarios. I mean you /must/ use them. Yet nobody even mentions the possibility of /them/ being trustworthy.
Just to be sure, you're speaking about checking signs with key on servers (like pgp.mit.edu) ?
Or: wwwkeys.pgp.net, or www.keyserver.net, or subkeys.pgp.net, or blackhole.pca.dfn.de, or pks.aaiedu.hr, or random.sks.keyserver.penguin.de.
Yes. :)
--Chris
Regards, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: http://firegpg.tuxfamily.org
iEYEARECAAYFAkeXXvIACgkQjKKs5/FTCjVtzQCdEbI/7X8nbGF4ty3W0sJ9nNWp vAQAn0TZKGI7kK0g+od60alY3JtWCBl8 =SC3e -----END PGP SIGNATURE-----
On Fri, 18 Jan 2008 02:56:12 -0800, chris# chris#@codewarehouse.NET wrote:
On Thu, 17 Jan 2008 20:22:41 +0100, till klimpong@gmail.com wrote:
Dear Maximilien,
On Jan 17, 2008 4:17 PM, Jason Fesler jfesler@gigo.com wrote:
(...) Oh well, off my soap box. Implement what you want. I just hope any README or whatever includes some paranoia.
+1
I'm not strictly against this feature but then again I wouldn't upload my key to *any* provider.
Think about the general risk. I am not saying that someone will spy on you and steal your key but what if they get hacked etc..
Then their ssl certs will /also/ be at risk. Hell, It /really/ is not difficult to "lift" their certs, and implement a little DNS cache poisoning and claim to be them. Then /you/ as their user will continue to use a server you /believe/ to be them. While all the while, they're (the hackers) in complete control of your mail. Phishing also comes to mind.
There are multiple scenarios that come to mind. I guess it's fine to have this feature when you are in total control of your environment and don't mind the risk.
Anyway, having said that - and since no one else said, "OH I AM WORKING ON THIS", go knock yourself out. ;-)
I believe it is a worthy cause in both cases. It would simply be more feasible as a "server side" solution.
On one last note; I can't help but notice the omission of keyservers in any of these scenarios. I mean you /must/ use them. Yet nobody even mentions the possibility of /them/ being trustworthy.
Till
///////////////////////////////////////////////////// Service provided by hitOmeter.NET internet messaging! .
List info: http://lists.roundcube.net/dev/
-- Maximilien Cuony [The_Glu] http://theglu.org
///////////////////////////////////////////////////// Service provided by hitOmeter.NET internet messaging! .
List info: http://lists.roundcube.net/dev/