<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Those who are concerned about what it means to sign another person's
key would do well to consider also what it means to publish their
own key.<br>
<br>
I publish mine, below the following text:<br>
<br>
WHAT THIS KEY IS FOR<br>
<br>
This public key lets you do either or both of two things:<br>
<br>
(a) encrypt a message so that only the use of the corresponding
private key <br>
will make it intelligible; or<br>
<br>
(b) verify that a signature attached to a message was made by the
<br>
corresponding private key.<br>
<br>
What good does that do, in either case?<br>
<br>
It depends how good I am at ensuring that the private key remains
under my sole <br>
control. If I am the only person who can use the key to decrypt
documents, then <br>
I am the only person who can understand messages encrypted with the
public key.<br>
And if I am the only person who can use the key to sign a message, a
signature <br>
verified by the public key must have been made by me.<br>
<br>
But of course there is a snag, because neither of those conditions
can be reliably <br>
assured. Both are based on (fairly) modern cryptography, and that
depends on the <br>
use of computers to carry out the necessary cryptographic
functions. Computers, <br>
especially when connected to the Internet, are not secure. They are
vulnerable <br>
to attacks using malicious software and other techniques. These
sometimes exploit <br>
software errors, such as errors in the implementation of
cryptographic functions <br>
or procedures. I take what I think are reasonable precautions to
protect my <br>
private key, but I cannot be sure that they are sufficient; and I
stand no chance <br>
of detecting software errors. If it turns out that my precautions
are insufficient, <br>
then unknown third parties may be able to read encrypted documents
meant for my <br>
eyes only, and may be able to attach signatures to messages which
will verify <br>
correctly using my public key.<br>
<br>
Using my public key is better than not using it; but neither you nor
I can really <br>
know how much better. Proceed with caution; and don’t blame me if
it goes wrong.<br>
<br>
........................................................................<br>
<br>
If you don't make it explicit what promises follow from the
publication of your key, you might find that a court will decide
what was implied; and that might not be what you had in mind at all.<br>
<br>
Nicholas Bohm<br>
<div class="moz-signature">-- <br>
<style type="text/css">
A:link
{ text-decoration: none; color:#0000bb; }
A:visited
{ text-decoration: none; color:#990099; }
A:active
{ text-decoration: none; color:#bb0000; }
A:hover
{ text-decoration: underline; color:#bb0000; }
</style><span style="font-family: monospace;"><a
href="http://www.ernest.net/contact/index.htm">Contact
and PGP key here</a></span><br>
</div>
</body>
</html>