On message signing and Enigmail...

[Robert J. Hansen]

On 2/1/12 3:34 PM, Christopher J. Walters wrote:
> On the issue of signing:  I do sign my messages, and have uploaded my
> public keys to key servers, so they are available to check that no
> one has changed my message.

Except that it doesn't.  What's to prevent me from creating a
certificate with your name and email address and making posts in your
name, with a signature from a certificate that claims to be yours?

Nothing -- and that signature is every bit as credible as the one that's
from your own certificate.  You might say, "but that certificate's a
fraud, my certificate's real!", but the Christopher Walters impersonator
will say the same thing about you.  There's no way to check.

I understand the desire to give people a way to verify the integrity of
your message, but the way you're going about it has some glaring and
obvious flaws.

> In reply to the concept that it is meaningless, I will say that I 
> feel that it adds a layer of trust (perhaps more than one, if you
> have one or more lines of trust to the poster) that the message was,
> in fact, posted by the person signing it, and that person stands
> behind what they say.

I can't argue against a feeling.  No one can.  Feelings are what they
are, and they are immune to the forces of reason.

That said, I consider this sentiment to be a close analogue of feeling
that statements given by argyle-wearing men who speak Occitan with a
lisp are more trusted than statements given by others.  It's crazy.
It's just that it's your particular flavor of it, and I respect that.
Just don't ask me to subscribe to it.  :)

(No perjoration is intended.  We all have our own particular flavors of
crazy.)