On Tue, Apr 10, 2007 at 06:22:15PM -0400, Arthur Hagen wrote: > On Wed, 2007-04-11 at 00:00 +0200, Magnus Holmgren wrote:
> > On Tuesday 10 April 2007 23:51, Arthur Hagen wrote:
> > > On Tue, 2007-04-10 at 23:27 +0200, Magnus Holmgren wrote:
> > > > And even if you can't trust that I am me, you can still be confident
> > > > that all
> > > > messages signed with this key come from the same person.
> > >
> > > That's another (and common) fallacy. That's only the case if the holder
> > > of the key can be trusted to keep the secret key confidential. When the
> > > holder of the key can't be trusted to his identity, that can't be
> > > trusted either.
> >
> > It is in his own interest to keep it secret, and to have a revocation
> > certificate ready in case it's compromised.
>
> The card house is no stronger than the weakest card, which in this case
> is the inability for most recipients of the signed message to verify the
> public key.
Then don't use his PGP key if you don't want to. That doesn't
invalidate the usefulness of the keys for the rest of the world who
understands the purpose of the system.
