Re: "The End of SSL and SSH?"

[Stefan Monnier <monnier+lists.bugtraq/news/@RUM.CS.YALE.EDU>]

> > > > > "Perry" == Perry E Metzger <perry () PIERMONT COM> writes:
> > I used to religously sign email's with PGP until I realized that
> > no-one probably checked, how did I know this? I started modifying
> > the email after signing so that it wouldn't verify, no-one ever complained.
> I'm hardly surprised. The tools to check are hard to use and the need
> is rarely obvious.

In a previous life I implemented PGP support for the ExMH mail reader.
It was written such that PGP-signed mail is checked as a matter of course
(if the key is known, it's checked, otherwise a button is popped that
allows the user to query the pgp key servers).
I've pretty much never reported mismatched signatures, because they
were simply too frequent due to brain dead MTAs.  Since then the
PGP/MIME standard has been introduced and it is supposed to be more
robust, but many mail agents still don't support it or support
it badly (it's more difficult to implement).
So I don't think it's just that the tools are hard to use, but that
they are still not robust enough that a mismatch makes me raise
my eyebrows.


        Stefan