[7753] in cryptography@c2.net mail archive
Re: reflecting on PGP, keyservers, and the Web of Trust
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Sep 5 19:42:59 2000
From: "Steven M. Bellovin" <smb@research.att.com>
To: Dan Geer <geer@world.std.com>
Cc: David Honig <honig@sprynet.com>, cryptography@c2.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 05 Sep 2000 19:20:51 -0400
Message-Id: <20000905232052.2649135DC2@smb.research.att.com>
In message <200009032133.RAA13186@world.std.com>, Dan Geer writes:
>
>> How do they exchange public keys? Via email I'll bet.
>
>Note that it is trivial(*) to construct a self-decrypting
>archive and mail it in the form of an attachment. The
>recipient will merely have to know the passphrase. If
>transit confidentiality is your aim and old versions
>of documents are irrelevant once the ink is dry on the
>proverbial bond paper, this is quite workable and involves
>no WoT at all, just POTS.
No! We've discussed this point many times before -- what if the
attacker sends a Trojan horse executable?
--Steve Bellovin
