Several questions as feedback on gnupg

Ingo Klöcker ingo.kloecker@epost.de
Thu Jan 24 21:38:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 24 January 2002 02:53, Mike Touloumtzis wrote:
> I can't see how getting my key from a keyserver is any safer than
> getting a "specially prepared key" from me.  I can upload whatever I
> want to the keyservers.  Can you explain why you believe downloading
> from the keyservers is safer?  Is there material which is relevant to
> the signing process, not covered by the fingerprint, and not visible
> in the UID?

If you upload your key to a keyserver everyone can get it from there. 
Therefore it would be much more dangerous for you to upload a key with 
a wrong UID.
OTOH, if you send me your key and I send the signed key back to you then 
it's just me who knows about this key. And then you could add a 
malicious UID and probably trick my non-OpenPGP-understanding friends 
into signing it because I signed your key. And if I trusted my friends 
maybe marginally (which I obviously should better not) you could 
achieve that your malicious UID was valid for me. Of course this 
example is very hypothetical. So it doesn't really matter much how I 
get you key.


Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8UG8MGnR+RTDgudgRApZCAKCUMzcyULVT4WQkSqVHOqmbPmgeYQCgkcDm
e/rFwb8PMqBDRbkC0jhc024=
=PGUF
-----END PGP SIGNATURE-----