discussion on increasing amount of gpg signatures...

Evan Prodromou evan@prodromou.san-francisco.ca.us
Sat Oct 13 20:04:02 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "MA" == Matt Armstrong <matt@lickey.com> writes:


    MA> Verifying that the key holder has control of the key's e-mail
    MA> address isn't part of many key signing party verification
    MA> procedures, especially less formal ones.

This is extremely true. One way to ameliorate this is to use a
challenge-response pair for each e-mail address on the key.

For example, when I meet Matt Armstrong at a key-signing party, after
checking his identification papers of whatever sort, I give him a slip
of paper with a unique challenge bitstream to take home. A good
password generator will make a decent bitstream creator, giving
semi-readable streams like "underw3ar%beaujolais".

When I get home to my computer, I send matt@lickey.com _another_
challenge bitstream, such as "spock8free-dmitry". Matt then sends back
_both_ bitstreams, e.g.,

        ---BEGIN EXAMPLE FAKE PGP SIGNED DATA---
        underw3ar%beaujolais
        spock8free-dmitry
        ---END EXAMPLE FAKE PGP SIGNED DATA---

Now I know with reasonable certainty that the person I met at the
party is the same person who receives mail at matt@lickey.com, and
that both people are the same as the person who uses key X. I can sign
the key with some margin of certainty.

Note that the challenge doesn't have to be spectacularly long or
unique. A brute-force dictionary attack isn't going to work in this
situation -- if I get back 500 billion messages, starting with
"aardvark1aardwolf" and ending with "zymurgy)zither", chances are I'll
be just a teensy bit suspicious of the situation.

There are, of course, some attacks on this. For example, Matt
Armstrong (the person who's ID and key signature I verified at the key
party) could be intercepting mail for matt@lickey.com, and falsifying
headers to send mail from the same address. Or, Matt Armstrong could
have been mugged on the way home from the keyparty, his secret key as
well as my slip of paper with the challenge stream stolen by the
(entirely different) guy who gets mail at matt@lickey.com, and said
mugger could then be sending out signatures.

But it's a pretty reasonable mechanism.

~ESP

- -- 
Evan Prodromou
evan@prodromou.san-francisco.ca.us

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE7yJG9ozwefHAKBVERAt0DAKCo1j7R6oGpNyRTRSkkNTptfNKqZQCgze9f
2j8yLpVGZcNBq9fl4UkfUw4=
=yk7L
-----END PGP SIGNATURE-----