Relevance of PGP?

[Edward Ned Harvey]

> From: Derek Martin [mailto:invalid-yPs96gJSFQo51KKgMmcfiw at public.gmane.org]
> Sent: Monday, June 13, 2011 3:35 PM
> 
> If you don't take the time to actually verify BOTH the identity of the
> person sending you messages, and the secret they've given you, then
> you're right, there's no difference.  Both are worthless, beyond
> keeping casual prying eyes from seeing your conversation... you
> never really know for sure that you're communicating with the person
> you think you are at the time.

You're saying, that because the OS "trusts" a list of root CA's, then
anybody who can infiltrate or circumvent security measures of any of those
CA's can forge communications on behalf of anyone.

True.  You can only trust S/MIME signing/encryption as much as you trust the
procedures of the root CA's.

But be careful before saying how worthless that is.  This is all the
protection you get on any site using https...  So if you do any online
banking, paying of your bills, or anything else, you're implicitly saying
you trust your CA's with all of those communications.

Now ... Is the information in your email more or less sensitive or valuable
compared to all your https communications?  Certainly, for some people
sometimes, you would need something stronger than SSL due to lack of CA
trust.  For the KGB or CIA, certainly SSL CA trust would not be acceptable.
But for me and most users wishing to secure their communications, it
certainly is good enough.  None of my email is more valuable than my bank
account, and yes I frequently use https to access my bank.