AW: Re: laying groundwork for an eventual migration away from SHA1 with gpg
Robert J. Hansen
rjh at sixdemonbag.org
Thu May 21 16:59:21 CEST 2009
This subject is increasingly off-topic for -devel. I've cc'd this
message to -users; let's see if we can't move the thread there.
Niels Dettenbach wrote:
> Hmmm, Keysigning parties makes sense if they strictly follow serious
> procedures and requirements - but can't give a 100% security (as the
> most other identity checks too). Even a Passport could be modified or
With a high-quality forged passport I can not only travel -- I can also
vote, run for (most) public offices, get utilities in my name, open bank
accounts, and so on. Those secondary pieces of documentation won't be
forgeries, they'll be real -- and once I have them, I destroy my forged
passport and settle into my new assumed identity.
If the attacker is smart enough and savvy enough to get a high-quality
forged passport, there's no way they'll present it for inspection to
someone who's actively looking for a forged passport. They'll present
their real (obtained illegally and containing incorrect information, but
quite real) identity documents instead.
Further, you won't find 100% security anywhere. Pursuing it is an
ephemera. You won't get there, and if you obsess over it your obsession
will ultimately hurt your security.
More information about the Gnupg-devel