[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Henry Bremridge wrote: > > "Do you want to use your own openPGP or smime key, if so please > upload it here. If not then then we will communicate with you in the > normal way via this web based email system" How do they validate this is you, and your key? Seems it depends on the original email being read by the correct person? So this is marginally better than sending a plain text email, as at least an attacker would have to intercept the first email. Although if they have this bit of the protocol wrong for using encryption.... I think they would be better advised to just get your key from the publicly accessible key servers and see if there is a vaguely plausible trust relationship and the key isn't revoked. They could do this without bothering you at all before sending the email if they stick with OpenPGP with a couple of lines of script (less if they use a mail client that will do it for them). All your financial complaints belong to Dan Kaminsky. Probably safer for them just to send it as plain text email, than to centralise all the sensitive information in one third party system which appears to be hosted in a jurisdiction not covered by EU privacy laws. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html