The inherent issue with signing messages is trusting a third party.
(Supposing that third party can even keep everyone's keys straight.)  That
third party, IE verisign, is unfortunately the only way to verify a key.
Personally, I wouldn't put any level of trust into anyone but myself when it
comes to my system security, and validating the authenticity of data.

-----Original Message-----
From: plug-discuss-admin@lists.plug.phoenix.az.us
[mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of William
Lindley
Sent: Wednesday, September 25, 2002 8:57 AM
To: plug-discuss@lists.plug.phoenix.az.us
Subject: Re: Digital Signing (Beat The Dead Horse) was Re: Free Software
for m$


On Wed, 25 Sep 2002, Matt Alexander wrote:
> Derek, but signing gives reasonable assurance that the email received
> is really from him.

OK, I get a message.  It's signed.  How do I verify the authenticity of
the signature?  Against what database?  If User X writes a message, sends
it ostensibly from Derek, and signs it with a bogus key, how do I know
that, unless I already have Derek's key... and in fact some huge database
of keys somewhere... it sounds like a data management nightmare, how is
everyone supposed to keep track of everyone else's keys???

Still not getting it,

\\/


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss