On Tue, 2006-01-31 at 14:41 -0800, Gordon Messmer wrote: > He'll see a message, either with an inline PGP signature, or an > attachment (depending on your client configuration), but won't have > any indication that the signature is valid. It's just some extra data > in the message. He'd have to install a PGP plugin for Outlook, and > get your key's fingerprint from you in order to validate signed > messages. > > This is why I advocate SMIME: more people already have the software to > validate your messages. I think both systems have big problems: Both have quite a bit of complexity, both in getting them set up, and understanding that you should really pay attention to "invalid" warnings. Getting a certificate to prove who you are can be difficult. And I have concerns that some don't really do checks that would prove you are who you say you are. And even with a cert, it may just prove that the same computer was used, but not prove whoever was typing on it. Really verifying self-made PGP certificates is difficult. It seems more suited to trusting friends you've met in person (i.e. that you're really getting mail from that guy you met yesterday, not someone sitting next to him who heard you say your e-mail address out loud), but you don't know who they really are unless you checked some other form of ID out when you met them. And again, a PGP-signed mail may just prove that you got an e-mail from their computer, not prove who it was typing on their keyboard. -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
