2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers.
Therein lies the point. Should I (or anyone who'd like to verify your signature) go around every keyserver looking for your key? How do I know which keyserver to look on?
So first the problem was that there was no instruction in the mail on how to verify the signature, and now the problem is that it is not signed!
The problem is neither of the above - it is that signing messages add no value to their contents, if signed with a key that is trusted by no one. And unless you are someone who is frequently impersonated, there is no point in signing messages sent to a public access mailing list. It only reduces the S/N further.
BTW, how can one say that if it couldn't be found the key on the keyserver.
I did make an effort to locate your key and evaluate your usage, you know.
What better way to popularise use of pgp than to sign messages to a public mailing list. Atleast I came to know about it only when I saw them on
Your system has loopholes. You say that the keyserver to search on is mentioned on your homepage, a link to which (along with the key ID) is included in your email, whose signature the recipient is supposed to verify. Do you see the circular logic here that negates any advantage you might have had from signing the message?
The popularity of pgp should be based on its merits - not based on incorrect and faulty usage that puts users at more risk than they were.
I believe signing messages also indicates ownership of the content of the message. And though the key is not signed at the moment, it can always be authenticated anytime, if anyone wants to.
An untrusted key does nothing of that sort. For example, anybody can register niteshmistry.com, setup an email ID and website, generate a key, upload it to a keyserver and start signing messages as mailbox@niteshmistry.com. Without the WoT, how do you protect your correspondents from this scenario?
Even in the offline world, signing a document is usually not enough - a witness should countersign indicating that he knows the person signing and vouches that the signature is authentic. The WoT extends this concept to the Internet.
Binand