On Thursday 11 March 2004 11:23 pm, Rui Miguel Seabra wrote: <Snip> > And if you use this feature that blindly, then you might as well not use > digital signing at all. > > Automatic keyserver verification is for controlled keyservers, where > keys have some verification, otherwise, you might be believing some key > with no trust path at all. > > Rui there is no trust involved. all it is saying is that the message matches the key on the keyserevr but that ultimatly its not trusted because i havent signed the key to say i trust it and can verify who signed the email 100% all it does is gets a copy of the key from the server and says they match. Trust is a different thing altogether. the only keys i trust are my own. by not making available your public key im saying you may as well not sign it as its the same thing. at least if your key is available then i can say hey it probably hasnt been tampered with but im not saying hey that is deffinetly from joe bloggs. Dennis
Attachment:
pgpnaYYHADO8y.pgp
Description: signature
