What can I expect at a Key Signing party?

[Ingo Klöcker]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 14 October 2001 20:54, Jean-David Beyer wrote:
> Now if I send you an encrypted e-mail using the public I got for you
> by looking up mwl+gnupg@alumni.unh.edu on a keyserver, someone will
> get it; presumably you, and only you should be able to read it. Is
> what protects you from erroneously signing my public key the fact
> that the email came to you from jdbeyer@jdbeyer.exit109.com?
> Certainly the fact that I have your public key gives you no
> assurance. Can you really trust the From: or Return Path: headers? I
> guess a man in the middle would not be expected to do this on the
> off-chance of catching this exchange. Is the unlikelyhood of this
> sufficient to induce you to sign my key?

You don't have to trust From: and/or Return Path: headers. What you do 
is you send an encrypted message which contains some random text (the 
challenge) to each of the email addresses on the public key. Of course 
for each address you have to choose a different random text. Whoever 
receives those messages will only be able to decrypt the random text if 
he is in possession of the private key which corresponds to the public 
key you used to encrypt the messages. The key owner will now send back 
the random text(s) (of course signed with his key) to you. Then you 
compare the random text(s) you sent the person and the random text(s) 
in the replies. If they all match then you know that the person who's 
key you are about to sign has access to all the email addresses you 
sent a challenging message to. Of course he could have intercepted the 
messages somehow between you and the intended recipient. But that's 
very unlikely.

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7yhopGnR+RTDgudgRAlp5AKDIL7/9vFRVkvN4dHpMF6Fa/x+7owCdHPuq
K9MnQS4JzVoMP11Qcb+VErM=
=0uMn
-----END PGP SIGNATURE-----