[7747] in cryptography@c2.net mail archive
Re: reflecting on PGP, keyservers, and the Web of Trust
daemon@ATHENA.MIT.EDU (David Honig)
Tue Sep 5 19:08:51 2000
Message-Id: <3.0.6.32.20000903090136.009756c0@pop.sprynet.com>
Date: Sun, 03 Sep 2000 09:01:36 -0700
To: "Arnold G. Reinhold" <reinhold@world.std.com>,
David Honig <honig@sprynet.com>, Ed Gerck <egerck@nma.com>,
Greg Rose <ggr@qualcomm.com>
From: David Honig <honig@sprynet.com>
Cc: cryptography@c2.net
In-Reply-To: <v04210102b5d75e6b01f2@[24.218.56.92]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
At 09:56 PM 9/2/00 -0400, Arnold G. Reinhold wrote:
>At 3:48 PM -0700 9/1/2000, David Honig wrote:
>>At 09:34 AM 8/30/00 -0700, Ed Gerck wrote:
>>>
>>>BTW, many lawyers like to use PGP and it is a good usage niche. Here,
in the
>>>North Bay Area of SF, PGP is not uncommon in such small-group business
users.
>>
>>How do they exchange public keys? Via email I'll bet.
>>
>
>So what if they do? A Man in the Middle attack is difficult to mount
>and expensive to maintain. It is also easy to detect if the parties
>ever use out-of-band means to verify keys. I would judge the risk of
>a MITM attack as much lower than the risk of keys being stolen from
>the lawyers' computers.
I didn't make myself clear. I meant that PGP is perfectly useful
*without any keyservers*. I am in *favor* of people not publishing
their keys, except maybe if you were a business and *wanted* cold-calls
[1]. Sort of like a front-office line and a private back line.
[1] or access and ownership of the keyserver were limited (think corporate
online phone directory)
