Mailscanner Update

Spicer, Kevin Kevin.Spicer at BMRB.CO.UK
Tue Mar 9 13:26:19 GMT 2004


MailScanner wrote:
> How do I know the private key and passphrase are yours and not
> generated by Joe Cracker under a pseudonym of Julian Field? I cannot
> verify remotely that any of these are physically held by you. The
> only way I can trust your PGP key is through you verifying its hash
> in person or through the trust of a mutual contact that I know has
> done so. 
> 
> In the mean time I'd rather trust that Southampton University has a
> reasonable security policy and will not allow unauthorised access to
> its HTTP servers ;-)

Its all about balance of probability.  Its likely that Southampton has robust security policies and practices, but lots of organisations have 'good' security and still get hacked (theres always the exploit we don't know about yet).  Its less likely that the file you are grabbing is compromised if it is signed by someone called Julian Field, and the public key that matches it is the same one that signed the previous six releases you downloaded, and matches the footprint Julian gives in his signature, and is signed by several other people who show up on this list from time to time (some of whom probably also sign emails with their pgp footprint).  etc. etc.

You also mention x509 as a more secure alternative.  I disagree, the trouble with x509 is that you either trust it or you don't.  So you have to trust that the certificate really does belong to whoever Verisign [or whichever issuing authority is chosen].  Which means you have to trust Verisign, theres a frightening thought in itself.  After all, they do such stringent checks that nothing like this http://www.verisign.com/developer/notice/authenticode/ could ever happen.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




More information about the MailScanner mailing list