On 6/6/03 at 7:41 AM -0700, Phillip Hallam-Baker wrote:
Do you think that folk signing PGP keys are undertaking unlimited
liability should the certification turn out to be incorrect?
No, but if Mary turns out to be someone who signs PGP keys for people
I don't like, I can simply say "Don't trust Mary" in my PGP
application and the things she signs won't show up as valid unless
someone I do trust signs them. If RSA screws up and signs keys for
people I don't like, I can't (practically) say "Don't trust RSA"
without invalidating a bunch of keys that I probably do want to trust.
I'm not by any means saying that PGP is a perfect solution. It's just
that the liability scenario is very different because amount of
damage any given signer can do is much different.
pr
--
Pete Resnick <mailto:presnick(_at_)qualcomm(_dot_)com>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102